Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2001-0925Path Traversal in Apache Http Server

CWE-22Path Traversal7 documents4 sources
Severity
5.0MEDIUMNVD
EPSS
89.5%
top 0.44%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache Http ServerDebian Linux
Timeline
PublishedMar 12
Latest updateApr 30

Description

The default installation of Apache before 1.3.19 allows remote attackers to list directories instead of the multiview index.html file via an HTTP request for a path that contains many / (slash) characters, which causes the path to be mishandled by (1) mod_negotiation, (2) mod_dir, or (3) mod_autoindex.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDapache/http_server4 versions+3

Also affects: Debian Linux 2.2

Patches

Patch: www.securityfocus.comPatch: www.securityfocus.com

🔴Vulnerability Details

2
GHSA
GHSA-qr8r-5469-gp63: The default installation of Apache before 12022-04-30
CVEList
CVE-2001-0925: The default installation of Apache before 12002-02-02

💥Exploits & PoCs

4
Exploit-DB
Apache 1.3 - Artificially Long Slash Path Directory Listing (2)2002-02-21
Exploit-DB
Apache 1.3 - Artificially Long Slash Path Directory Listing (4)2001-06-13
Exploit-DB
Apache 1.3 - Artificially Long Slash Path Directory Listing (3)2001-06-13
Exploit-DB
Apache 1.3 - Artificially Long Slash Path Directory Listing (1)2001-06-13
CVE-2001-0925 — Path Traversal in Apache Http Server | cvebase