CVE-2004-1897
Description
Monit 1.4 to 4.2 crashes via crafted Basic authentication request without password, causing denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Monit 1.4 to 4.2 crashes via crafted Basic authentication request without password, causing denial of service.
Vulnerability
A denial of service vulnerability exists in the administration interface of Monit versions 1.4 through 4.2 (and 4.3 Beta 2 and prior) [2]. When processing a Basic authentication request without a password, Monit decrements a pointer returned by strchr() without a NULL check, leading to an out-of-bounds read and segmentation fault [2]. The vulnerability is exploitable only when the HTTP/HTTPS administration interface is enabled [2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request with Basic authorization but omitting the password field [2]. No authentication is required; the request can be generated using a simple web browser [2]. The exact sequence involves base64-decoding the credentials, where the absence of a password causes the pointer manipulation and subsequent crash [2].
Impact
Successful exploitation causes Monit to terminate with a segmentation fault, resulting in a denial of service [2]. The vulnerability does not allow privilege escalation or data disclosure; the impact is solely on availability of the monitoring service [2].
Mitigation
The vulnerability is fixed in Monit versions later than 4.2 (e.g., 4.3 and above) [2]. Users should upgrade to a patched version. As a workaround, disable the administration interface if not required, or restrict network access to trusted hosts [2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >=1.4,<=4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The administration interface mishandles Basic Authentication requests lacking a password, leading to a null pointer dereference and out-of-bounds read."
Attack vector
An attacker can trigger this vulnerability by sending a Basic Authentication request to the Monit administration interface without providing a password. This malformed request causes Monit to attempt to dereference a null pointer, which results in a segmentation fault and denial of service. The vulnerability is present in Monit versions 1.4 through 4.2 [ref_id=1].
Affected code
The vulnerability resides within the administration interface of Monit, specifically in how it processes Basic Authentication credentials. The issue occurs when a password is not provided in the authentication request, leading to a null pointer dereference and an out-of-bounds read.
What the fix does
The advisory does not provide specific details on the patch or fix implemented for this vulnerability. However, it is implied that the fix addresses the improper handling of Basic Authentication requests that lack a password, preventing the null pointer dereference and subsequent segmentation fault. The advisory lists numerous fixes for various versions, but does not detail the specific fix for this CVE.
Preconditions
- networkThe Monit administration interface must be accessible over the network.
- inputA Basic Authentication request must be sent without a password.
Reproduction
http://www.securityfocus.com/bid/10051
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.