cbcvebase.
CVE-2018-18778
published 2018-10-29

CVE-2018-18778: ACME mini_httpd before 1.30 lets remote users read arbitrary files.

PriorityP263medium6.5CVSS 3.0
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
74.04%
99.4th percentile
ACME mini_httpd before 1.30 lets remote users read arbitrary files.

Affected

6 ranges
VendorProductVersion rangeFixed in
acmemini-httpd< 1.301.30
acmemini-httpd>= 0 < 1.30-0.11.30-0.1
acmemini-httpd>= 0 < 1.30-0.11.30-0.1
acmemini-httpd>= 0 < 1.30-0.11.30-0.1
acmemini-httpd>= 0 < 1.30-0.11.30-0.1
debianmini-httpd< mini-httpd 1.30-0.1 (bookworm)mini-httpd 1.30-0.1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

path/etc/passwd
otherServer: mini_httpd
sigma
HTTP GET request matching path traversal to /etc/passwd with response containing root:.*:0:0: and status 200
  • Detect exploitation attempts by monitoring HTTP GET requests for absolute paths such as /etc/passwd directed at servers responding with 'Server: mini_httpd' in headers.
  • Fingerprint vulnerable mini_httpd instances via the Server response header value 'Server: mini_httpd'; versions prior to 1.30 are vulnerable.
  • Exploitation is triggered via HTTP GET requests with empty headers; monitor for malformed/empty Host header requests against mini_httpd servers.
  • The vulnerability stems from the de_dotdot path sanitization algorithm failing to block absolute path traversal (e.g. /etc/passwd) — detect requests using root-anchored paths outside the web root.
  • Shodan queries can identify exposed vulnerable instances: search for 'Server: mini_httpd' with HTTP 200 responses.
  • ·The vulnerability is exploitable by remote (network) attackers despite the Debian tracker listing scope as 'local'; NVD and Ubuntu advisories confirm remote exploitation is possible.
  • ·The fix was introduced in mini_httpd version 1.30; all prior versions are vulnerable. Debian fixed it in package version 1.30-0.1.

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.