CVE-2008-0407

critical

Description

HTTP File Server (HFS) before 2.2c tags HTTP request log entries with the username sent during HTTP Basic Authentication, regardless of whether authentication succeeded, which might make it more difficult for an administrator to determine who made a remote request.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/39877

http://www.syhunt.com/advisories/hfs-1-username.txt

http://www.securityfocus.com/bid/27423

http://www.securityfocus.com/archive/1/486874/100/0/threaded

http://www.rejetto.com/hfs/?f=wn

http://securityreason.com/securityalert/3582

http://secunia.com/advisories/28631

Details

Source: Mitre, NVD

Published: 2008-01-29

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.0044