CVE-2001-0334
published 2001-06-27CVE-2001-0334: FTP service in IIS 5.0 and earlier allows remote attackers to cause a denial of service via a wildcard sequence that generates a long string when it is…
PriorityP425high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
14.72%
96.2th percentile
FTP service in IIS 5.0 and earlier allows remote attackers to cause a denial of service via a wildcard sequence that generates a long string when it is expanded.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_information_server | <= 5.0 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Incorrect Calculation of Buffer Size
mitre_cwe
CWE-131 Incorrect Calculation of Buffer Size
CWE-131: Incorrect Calculation of Buffer Size
The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity, Availability, Confidentiality. Impact: DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Read Memory, Modify Memory. If the incorrect calculation is used in the context of memory allocation, then the software may create a buffer that is smaller or larger than expected. If the allocated buffer is smaller than expected, this could lead to an out-of-bounds read or write (CWE-119), possibly causing a crash, allowing arbitrary code execution, or exposing sensitive data.
Detection Methods:
Automated Static Analysis: This
CWE
Improper Neutralization of Wildcards or Matching Symbols
mitre_cwe
CWE-155 Improper Neutralization of Wildcards or Matching Symbols
CWE-155: Improper Neutralization of Wildcards or Matching Symbols
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.
As data is parsed, an injected element may cause the process to take unexpected actions.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Unexpected State.
Detection Methods:
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building
CWE
Path Equivalence: 'filename/' (Trailing Slash)
mitre_cwe·CVSS 5.0
[MEDIUM] CWE-49 Path Equivalence: 'filename/' (Trailing Slash)
CWE-49: Path Equivalence: 'filename/' (Trailing Slash)
The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Modes of Introduction:
Phase: Implementation
Phase: Operation
Common Consequences:
Scope: Confidentiality, Integrity. Impact: Read Files or Directories, Modify Files or Directories.
Observed Examples:
CVE-2002-0253: Overlaps infoleak
CVE-2001-0446: Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL.
CVE-2004-0334: Bypass Basic Authentication for files using trailing "/"
CVE-2001-0893: Read sensitive files with trailing "/
2001-06-27
Published