CWE-178
Improper Handling of Case Sensitivity
Description
The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (67)
page 1 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2001-0766 | Cri | 0.67 | 9.8 | 0.09 | Oct 18, 2001 | Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains some characters whose case is not matched by Apache's filters. | ||
| CVE-2026-47323 | Cri | 0.64 | 9.8 | 0.01 | May 19, 2026 | Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in… | ||
| CVE-2005-0269 | Cri | 0.64 | 9.8 | 0.03 | May 2, 2005 | The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters. | ||
| CVE-2004-2154 | Cri | 0.64 | 9.8 | 0.02 | Dec 31, 2004 | CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive. | ||
| CVE-2004-2214 | Cri | 0.64 | 9.8 | 0.03 | Dec 31, 2004 | Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to bypass access restrictions via a URI with mixed case characters. | ||
| CVE-2002-2119 | Cri | 0.64 | 9.8 | 0.03 | Dec 31, 2002 | Novell eDirectory 8.6.2 and 8.7 use case insensitive passwords, which makes it easier for remote attackers to conduct brute force password guessing. | ||
| CVE-2002-1820 | Cri | 0.64 | 9.8 | 0.02 | Dec 31, 2002 | register.php in Ultimate PHP Board (UPB) 1.0 and 1.0b uses an administrative account Admin with a capital "A," but allows a remote attacker to impersonate the administrator by registering an account name of admin with a lower case "a." | ||
| CVE-2026-46392 | Hig | 0.57 | 8.7 | 0.00 | Jun 5, 2026 | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces… | ||
| CVE-2026-40453 | Cri | 0.57 | 9.9 | 0.01 | Apr 27, 2026 | The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP… | ||
| CVE-2026-28292 | Cri | 0.57 | 9.8 | 0.01 | Mar 10, 2026 | `simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine.… | ||
| CVE-2003-0411 | Hig | 0.54 | 7.5 | 0.27 | Jun 30, 2003 | Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase ".JSP" extension instead of the lowercase .jsp extension. | ||
| CVE-2007-3365 | Hig | 0.52 | 7.5 | 0.06 | Jun 22, 2007 | MyServer 0.8.9 and earlier does not properly handle uppercase characters in filename extensions, which allows remote attackers to obtain sensitive information (script source code) via a modified extension, as demonstrated by post.mscgI. | ||
| CVE-1999-0239 | Hig | 0.52 | 7.5 | 0.07 | Jan 1, 1998 | Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET. | ||
| CVE-2001-1238 | Hig | 0.51 | 7.8 | 0.01 | Jul 16, 2001 | Task Manager in Windows 2000 does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped with the… | ||
| CVE-2025-67718 | Hig | 0.50 | — | 0.00 | Dec 11, 2025 | Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or… | ||
| CVE-2004-1083 | Hig | 0.49 | 7.5 | 0.02 | Dec 3, 2004 | Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files in a case sensitive manner, but the Apple HFS+ filesystem accesses files in a case insensitive manner, which allows remote attackers to read .DS_Store files and files beginning with ".ht" using alternate… | ||
| CVE-2002-0485 | Hig | 0.49 | 7.5 | 0.01 | Aug 12, 2002 | Norton Anti-Virus (NAV) allows remote attackers to bypass content filtering via attachments whose Content-Type and Content-Disposition headers are mixed upper and lower case, which is ignored by some mail clients. | ||
| CVE-2001-0795 | Hig | 0.49 | 7.5 | 0.02 | Oct 18, 2001 | Perception LiteServe 1.25 allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names. | ||
| CVE-2000-0498 | Hig | 0.49 | 7.5 | 0.02 | Jun 8, 2000 | Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. | ||
| CVE-2000-0499 | Hig | 0.49 | 7.5 | 0.03 | Jun 8, 2000 | The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. |
- risk 0.67cvss 9.8epss 0.09
Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains some characters whose case is not matched by Apache's filters.
- risk 0.64cvss 9.8epss 0.01
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in…
- risk 0.64cvss 9.8epss 0.03
The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.
- risk 0.64cvss 9.8epss 0.02
CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive.
- risk 0.64cvss 9.8epss 0.03
Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to bypass access restrictions via a URI with mixed case characters.
- risk 0.64cvss 9.8epss 0.03
Novell eDirectory 8.6.2 and 8.7 use case insensitive passwords, which makes it easier for remote attackers to conduct brute force password guessing.
- risk 0.64cvss 9.8epss 0.02
register.php in Ultimate PHP Board (UPB) 1.0 and 1.0b uses an administrative account Admin with a capital "A," but allows a remote attacker to impersonate the administrator by registering an account name of admin with a lower case "a."
- risk 0.57cvss 8.7epss 0.00
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces…
- risk 0.57cvss 9.9epss 0.01
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP…
- risk 0.57cvss 9.8epss 0.01
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine.…
- risk 0.54cvss 7.5epss 0.27
Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase ".JSP" extension instead of the lowercase .jsp extension.
- risk 0.52cvss 7.5epss 0.06
MyServer 0.8.9 and earlier does not properly handle uppercase characters in filename extensions, which allows remote attackers to obtain sensitive information (script source code) via a modified extension, as demonstrated by post.mscgI.
- risk 0.52cvss 7.5epss 0.07
Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET.
- risk 0.51cvss 7.8epss 0.01
Task Manager in Windows 2000 does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped with the…
- risk 0.50cvss —epss 0.00
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or…
- risk 0.49cvss 7.5epss 0.02
Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files in a case sensitive manner, but the Apple HFS+ filesystem accesses files in a case insensitive manner, which allows remote attackers to read .DS_Store files and files beginning with ".ht" using alternate…
- risk 0.49cvss 7.5epss 0.01
Norton Anti-Virus (NAV) allows remote attackers to bypass content filtering via attachments whose Content-Type and Content-Disposition headers are mixed upper and lower case, which is ignored by some mail clients.
- risk 0.49cvss 7.5epss 0.02
Perception LiteServe 1.25 allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names.
- risk 0.49cvss 7.5epss 0.02
Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.
- risk 0.49cvss 7.5epss 0.03
The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.