High severity7.5NVD Advisory· Published Jun 9, 2015· Updated May 6, 2026

CVE-2015-3200

Description

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.

Affected products

HP/Virtual Customer Access System
cpe:2.3:a:hp:virtual_customer_access_system:*:*:*:*:*:*:*:*
Range: <=15.07
Lighttpd/Lighttpd
cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*
Range: <=1.4.35
Oracle Corporation/Solaris
cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

jaanuskp.blogspot.com/2015/05/cve-2015-3200.htmlnvdExploitThird Party Advisory
redmine.lighttpd.net/issues/2646nvdVendor Advisory
www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlnvdThird Party Advisory
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdVendor Advisory
www.securitytracker.com/id/1032405nvdVDB Entry
lists.fedoraproject.org/pipermail/package-announce/2015-August/163223.htmlnvd
lists.fedoraproject.org/pipermail/package-announce/2015-August/163286.htmlnvd
www.securityfocus.com/bid/74813nvd
kc.mcafee.com/corporate/indexnvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.016
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000