Vulnerability Description
bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eterna | Bozohttpd | <= 20140201 |
| Netbsd | Netbsd | 5.1 |
Related Weaknesses (CWE)
References
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.ascVendor Advisory
- http://seclists.org/oss-sec/2014/q3/180
- http://www.eterna.com.au/bozohttpd/Patch
- http://www.eterna.com.au/bozohttpd/CHANGES
- http://www.osvdb.org/109283
- http://www.securityfocus.com/bid/68752
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94751
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.ascVendor Advisory
- http://seclists.org/oss-sec/2014/q3/180
- http://www.eterna.com.au/bozohttpd/Patch
- http://www.eterna.com.au/bozohttpd/CHANGES
- http://www.osvdb.org/109283
- http://www.securityfocus.com/bid/68752
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94751
FAQ
What is CVE-2014-5015?
CVE-2014-5015 is a vulnerability with a CVSS score of 5.0 (MEDIUM). bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and...
How severe is CVE-2014-5015?
CVE-2014-5015 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-5015?
Check the references section above for vendor advisories and patch information. Affected products include: Eterna Bozohttpd, Netbsd Netbsd.