oss-sec mailing list archives

Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204)

From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 12 Dec 2018 17:36:40 +0100

Hi,

On Wed, Dec 12, 2018 at 04:27:02PM +0100, Salva Peiró wrote:

Hi everyone,

The mini-httpd daemon (version <= v1.30) shipped in Debian/Ubuntu from [1]
is affected by a response discrepancy information exposure (CWE-204) that
enables an attacker to remotely enumerate valid htpasswd usernames (RFC
7617).

A more detailed advisory can be found at:
https://speirofr.appspot.com/files/advisory/SPADV-2018-01.md
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916190

Is there a CVE for this? If not, could one be assigned, please?


Can you request a CVE directly via https://cveform.mitre.org/ ?

Regards,
Salvatore

Current thread:

CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Salva Peiró (Dec 12)
- Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Solar Designer (Dec 12)
  - Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Salva Peiró (Dec 13)
    - Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Solar Designer (Dec 13)
    - Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Salva Peiró (Dec 13)
- Re: CVE Request: mini-httpd (<= v1.30) is affected by a response discrepancy information exposure (CWE-204) Salvatore Bonaccorso (Dec 12)