CVE-2006-1078
Summary
| CVE | CVE-2006-1078 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2006-03-09 00:02:00 UTC |
| Updated | 2025-04-03 01:03:51 UTC |
| Description | Multiple buffer overflows in htpasswd, as used in Acme thttpd 2.25b, and possibly other products such as Apache, might allow local users to gain privileges via (1) a long command line argument and (2) a long line in a file. NOTE: since htpasswd is normally installed as a non-setuid program, and the exploit is through command line options, perhaps this issue should not be included in CVE. However, if there are some typical or recommended configurations that use htpasswd with sudo privileges, or common products that access htpasswd remotely, then perhaps it should be included. |
Risk And Classification
Primary CVSS: v3.1 8.4 HIGH from ADP
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.001870000 probability, percentile 0.406040000 (date 2026-04-16)
Problem Types: NVD-CWE-Other | n/a | CWE-noinfo Not enough information
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 8.4 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 8.4 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 7.2 | AV:L/AC:L/Au:N/C:C/I:C/A:C |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
LocalAccess Complexity
LowAuthentication
NoneConfidentiality
CompleteIntegrity
CompleteAvailability
CompleteAV:L/AC:L/Au:N/C:C/I:C/A:C
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 'Re: [THTTPD] htpasswd.c security issues.' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | |
| SecurityFocus | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| Bugtraq: Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | |
| Acme Labs thttpd HTPasswd Multiple Vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| Full Disclosure: SEC Consult SA-20231122 :: Multiple Vulnerabilities in m-privacy TightGate-Pro | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | |
| m-privacy TightGate-Pro Code Execution / Insecure Permissions ≈ Packet Storm | af854a3a-2127-422b-91ae-364da2661108 | packetstormsecurity.com | |
| IBM X-Force Exchange | af854a3a-2127-422b-91ae-364da2661108 | exchange.xforce.ibmcloud.com | |
| IBM X-Force Exchange | af854a3a-2127-422b-91ae-364da2661108 | exchange.xforce.ibmcloud.com | |
| Bug 31975 - httpd-1.3.33: buffer overflow in htpasswd if called with long arguments | af854a3a-2127-422b-91ae-364da2661108 | issues.apache.org | |
| '[THTTPD] htpasswd.c security issues.' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | |
| [Full-disclosure] Apache 1.3.37 htpasswd buffer overflow vulnerability | af854a3a-2127-422b-91ae-364da2661108 | lists.grok.org.uk | |
| 41279 – Apache 1.3.37 htpasswd is vulnerable to buffer overflow vulnerability | af854a3a-2127-422b-91ae-364da2661108 | issues.apache.org | |
| Page not found – Security Express | af854a3a-2127-422b-91ae-364da2661108 | www.security-express.com | |
| Neohapsis Archives - Full Disclosure List - #0547 - [Full-Disclosure] FlowSecurity.org: Local Stack Overflow on htpasswd apache 1.3.31 advsory. | af854a3a-2127-422b-91ae-364da2661108 | archives.neohapsis.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.