Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by hiawatha-webserver
CVE-2025-57784 (GCVE-0-2025-57784)
Vulnerability from cvelistv5 – Published: 2026-01-26 17:47 – Updated: 2026-01-26 20:52
VLAI?
Title
Tomahawk authentication timing attack due to usage of 'strcmp'
Summary
Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client.
Severity ?
4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hiawatha | Hiawatha Web server |
Affected:
11.7 , ≤ 8.5
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-57784",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-26T20:51:24.745237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T20:52:06.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Hiawatha Web server",
"vendor": "Hiawatha",
"versions": [
{
"lessThanOrEqual": "8.5",
"status": "affected",
"version": "11.7",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T17:47:19.382Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/tomahawk.c?ref_type=heads#L429"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Tomahawk authentication timing attack due to usage of \u0027strcmp\u0027",
"x_generator": {
"engine": "VINCE 3.0.31",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-57784"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-57784",
"datePublished": "2026-01-26T17:47:19.382Z",
"dateReserved": "2025-08-19T17:36:13.586Z",
"dateUpdated": "2026-01-26T20:52:06.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-57783 (GCVE-0-2025-57783)
Vulnerability from cvelistv5 – Published: 2026-01-26 17:45 – Updated: 2026-01-26 20:55
VLAI?
Title
Improper header parsing may lead to request smuggling
Summary
Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha webserver.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hiawatha | Hiawatha Web server |
Affected:
11.7 , ≤ 8.5
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-57783",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-26T20:54:38.078522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T20:55:04.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Hiawatha Web server",
"vendor": "Hiawatha",
"versions": [
{
"lessThanOrEqual": "8.5",
"status": "affected",
"version": "11.7",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha webserver."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T17:45:36.947Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/http.c?ref_type=heads#L205"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper header parsing may lead to request smuggling",
"x_generator": {
"engine": "VINCE 3.0.31",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-57783"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-57783",
"datePublished": "2026-01-26T17:45:36.947Z",
"dateReserved": "2025-08-19T17:36:13.585Z",
"dateUpdated": "2026-01-26T20:55:04.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-8358 (GCVE-0-2019-8358)
Vulnerability from cvelistv5 – Published: 2019-02-16 18:00 – Updated: 2024-09-16 17:59
VLAI?
Summary
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:17:30.673Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.hiawatha-webserver.org/changelog"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-16T18:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.hiawatha-webserver.org/changelog"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-8358",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.hiawatha-webserver.org/changelog",
"refsource": "CONFIRM",
"url": "https://www.hiawatha-webserver.org/changelog"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-8358",
"datePublished": "2019-02-16T18:00:00.000Z",
"dateReserved": "2019-02-16T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:59:07.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}