CVE-2002-1658
Description
Buffer overflow in htdigest in Apache 1.3.26 and 1.3.27 may allow attackers to execute arbitrary code via a long user argument. NOTE: since htdigest is normally only locally accessible and not setuid or setgid, there are few attack vectors which would lead to an escalation of privileges, unless htdigest is executed from a CGI program. Therefore this may not be a vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in Apache htdigest (1.3.26/27) via long user argument; limited local attack surface unless invoked from CGI, reducing privilege escalation risk.
Vulnerability
A buffer overflow vulnerability exists in the htdigest utility included with Apache HTTP Server versions 1.3.26 and 1.3.27. The overflow occurs when a long user argument is passed to htdigest, potentially allowing an attacker to overwrite adjacent memory. This code path is reachable only when htdigest is executed with a crafted command-line argument [1].
Exploitation
Exploitation requires the attacker to have local access to the system or the ability to influence the arguments passed to htdigest. The utility is not setuid or setgid, so normal local users cannot leverage it to gain higher privileges directly. However, if htdigest is invoked from a CGI script (e.g., in a web application), a remote attacker might indirectly trigger the overflow by supplying a malicious user parameter. The original advisory notes that the attack surface is limited and privilege escalation is unlikely unless a CGI wrapper is used [1].
Impact
Successful exploitation could lead to arbitrary code execution in the context of the user running htdigest. Since htdigest is typically run by an unprivileged user (or the web server user), the attacker would gain only the same limited privileges, not root or administrative access. The primary impact is a denial of service or potential low-privilege code execution, but the advisory considers this a low-severity issue due to the constrained attack vectors [1].
Mitigation
No official patch for this specific buffer overflow was released for Apache 1.3.26 or 1.3.27. The Apache Software Foundation discontinued Apache 1.3 series long ago; users should upgrade to a supported version (e.g., Apache 2.x). As a workaround, avoid using htdigest in CGI contexts, and restrict local access to trusted users only. The vulnerability is not listed on CISA's KEV [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
19cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*+ 17 more
- cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*
- Range: 1.3.26, 1.3.27
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.