CVE-2014-5015

Summary

CVE	CVE-2014-5015
State	PUBLISHED
Assigner	debian
Source Priority	CVE Program / NVD first with legacy fallback
Published	2014-07-24 14:55:09 UTC
Updated	2026-05-06 22:30:45 UTC
Description	bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD, truncates paths when checking .htpasswd restrictions, which allows remote attackers to bypass the HTTP authentication scheme and access restrictions via a long path.

Risk And Classification

Primary CVSS: v2.0 5 from [email protected]

AV:N/AC:L/Au:N/C:P/I:N/A:N

Problem Types: CWE-264 | n/a

CVSS v2.0 Breakdown

Access Vector

Network

Access Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

AV:N/AC:L/Au:N/C:P/I:N/A:N

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Eterna	Bozohttpd	19990519	All	All	All
Application	Eterna	Bozohttpd	20000421	All	All	All
Application	Eterna	Bozohttpd	20000426	All	All	All
Application	Eterna	Bozohttpd	20000427	All	All	All
Application	Eterna	Bozohttpd	20000815	All	All	All
Application	Eterna	Bozohttpd	20000825	All	All	All
Application	Eterna	Bozohttpd	20010610	All	All	All
Application	Eterna	Bozohttpd	20010812	All	All	All
Application	Eterna	Bozohttpd	20010922	All	All	All
Application	Eterna	Bozohttpd	20020710	All	All	All
Application	Eterna	Bozohttpd	20020730	All	All	All
Application	Eterna	Bozohttpd	20020803	All	All	All
Application	Eterna	Bozohttpd	20020804	All	All	All
Application	Eterna	Bozohttpd	20020823	All	All	All
Application	Eterna	Bozohttpd	20020913	All	All	All
Application	Eterna	Bozohttpd	20021106	All	All	All
Application	Eterna	Bozohttpd	20030313	All	All	All
Application	Eterna	Bozohttpd	20030409	All	All	All
Application	Eterna	Bozohttpd	20030626	All	All	All
Application	Eterna	Bozohttpd	20031005	All	All	All
Application	Eterna	Bozohttpd	20040218	All	All	All
Application	Eterna	Bozohttpd	20040808	All	All	All
Application	Eterna	Bozohttpd	20050410	All	All	All
Application	Eterna	Bozohttpd	20060517	All	All	All
Application	Eterna	Bozohttpd	20060710	All	All	All
Application	Eterna	Bozohttpd	20080303	All	All	All
Application	Eterna	Bozohttpd	20090417	All	All	All
Application	Eterna	Bozohttpd	20090522	All	All	All
Application	Eterna	Bozohttpd	20100509	All	All	All
Application	Eterna	Bozohttpd	20100512	All	All	All
Application	Eterna	Bozohttpd	20100617	All	All	All
Application	Eterna	Bozohttpd	20100621	All	All	All
Application	Eterna	Bozohttpd	20100920	All	All	All
Application	Eterna	Bozohttpd	20111118	All	All	All
Application	Eterna	Bozohttpd	20140102	All	All	All
Application	Eterna	Bozohttpd	All	All	All	All
Operating System	Netbsd	Netbsd	5.1	All	All	All
Operating System	Netbsd	Netbsd	5.2	All	All	All
Operating System	Netbsd	Netbsd	6.0	All	All	All
Operating System	Netbsd	Netbsd	6.1	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Na	N/a	affected n/a	Not specified

References

Reference	Source	Link	Tags
www.eterna.com.au/bozohttpd/CHANGES	af854a3a-2127-422b-91ae-364da2661108	www.eterna.com.au
IBM X-Force Exchange	af854a3a-2127-422b-91ae-364da2661108	exchange.xforce.ibmcloud.com
bozohttpd 'snprintf()' Function Authentication Bypass Vulnerability	af854a3a-2127-422b-91ae-364da2661108	www.securityfocus.com
oss-sec: Re: CVE Request: bozohttpd: basic http authentication bypass	af854a3a-2127-422b-91ae-364da2661108	seclists.org
www.osvdb.org/109283	af854a3a-2127-422b-91ae-364da2661108	www.osvdb.org
ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-007.txt.asc	af854a3a-2127-422b-91ae-364da2661108	ftp.netbsd.org	Vendor Advisory
bozotic HTTP server	af854a3a-2127-422b-91ae-364da2661108	www.eterna.com.au	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.