CVE DATABASE / CVE-2003-0899
CVE-2003-0899
CVSS 9.8 · CRITICAL
Summary
Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allows remote attackers to execute arbitrary code via requests that contain '<' or '>' characters, which trigger the overflow when the characters are expanded to "<" and ">" sequences.
CVSS 3.1 breakdown
| Base score | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Acme thttpd
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://marc.info/?l=bugtraq&m=106729188224252&w=2
- http://secunia.com/advisories/10092
- http://www.osvdb.org/2729
- http://www.securityfocus.com/bid/8906
- http://www.texonet.com/advisories/TEXONET-20030908.txt
- https://exchange.xforce.ibmcloud.com/vulnerabilities/13530
- https://www.debian.org/security/2003/dsa-396
Data: NIST NVD. NVD last modified 2026-04-16. Always verify against the vendor advisory before acting.