CVE-2003-0899 : Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allows remote attackers to execute arbitrary code via

Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allows remote attackers to execute arbitrary code via requests that contain '<' or '>' characters, which trigger the overflow when the characters are expanded to "<" and ">" sequences.

Published 2003-11-03 05:00:00

Updated 2024-02-02 14:01:02

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

Threat overview for CVE-2003-0899

Top countries where our scanners detected CVE-2003-0899

Top open port discovered on systems with this issue 22

IPs affected by CVE-2003-0899 472

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2003-0899!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2003-0899

Probability of exploitation activity in the next 30 days: 19.30%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 96 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2003-0899

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2003-0899

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)
CWE-131 Incorrect Calculation of Buffer Size

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2003-0899

https://exchange.xforce.ibmcloud.com/vulnerabilities/13530

thttpd defang function buffer overflow CVE-2003-0899 Vulnerability Report
Third Party Advisory;VDB Entry
http://www.securityfocus.com/bid/8906

Broken Link;Exploit;Patch;Third Party Advisory;VDB Entry
http://www.osvdb.org/2729

404 Not Found
Broken Link
http://marc.info/?l=bugtraq&m=106729188224252&w=2

'Remote overflow in thttpd' - MARC
Exploit;Mailing List
http://secunia.com/advisories/10092

About Secunia Research | Flexera
Broken Link;Patch;Vendor Advisory
http://www.texonet.com/advisories/TEXONET-20030908.txt

Just a moment...
Broken Link
https://www.debian.org/security/2003/dsa-396

Debian -- Security Information -- DSA-396-1 thttpd
Broken Link

CVEs referencing this url

Products affected by CVE-2003-0899