CVE-2003-0899

CRITICAL

Acme Thttpd < 2.23 - Buffer Overflow

Title source: rule

Description

Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allows remote attackers to execute arbitrary code via requests that contain '<' or '>' characters, which trigger the overflow when the characters are expanded to "<" and ">" sequences.

Exploits (2)

exploitdb WORKING POC VERIFIED

by d3ck4 · cremotelinux

https://www.exploit-db.com/exploits/23306

View Code ZIP pw:eip

exploitdb WRITEUP VERIFIED

by Joel Soderberg · cdoslinux

https://www.exploit-db.com/exploits/23305

View Code ZIP pw:eip

References (7)

[Exploit, Mailing List] http://marc.info/?l=bugtraq&m=106729188224252&w=2

[Broken Link, Patch, Vendor Advisory] http://secunia.com/advisories/10092

[Broken Link] http://www.osvdb.org/2729

[Broken Link, Exploit, Patch, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/8906

[Broken Link, URL Repurposed] http://www.texonet.com/advisories/TEXONET-20030908.txt

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/13530

[Broken Link] https://www.debian.org/security/2003/dsa-396

Scores

CVSS v3 9.8

EPSS 0.2046

EPSS Percentile 95.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-131

Status published

Products (2)

acme/thttpd 2.23 (2 CPE variants)

acme/thttpd 2.21 - 2.23

Published Nov 03, 2003

Tracked Since Feb 18, 2026