CVE-2008-4359Sensitive Information Exposure in Lighttpd

CWE-200Sensitive Information Exposure10 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 35.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LighttpdDebian LighttpdDebian Linux
Timeline
PublishedOct 3
Latest updateMay 2

Description

lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

debiandebian/lighttpd< lighttpd 1.4.19-5 (bookworm)
NVDlighttpd/lighttpd< 1.4.20
Debianlighttpd/lighttpd< 1.4.19-5+3

Also affects: Debian Linux 4.0

Patches

Patch: www.lighttpd.netPatch: www.lighttpd.net

🔴Vulnerability Details

2
GHSA
GHSA-q628-fxxh-w8xf: lighttpd before 12022-05-02
OSV
CVE-2008-4359: lighttpd before 12008-10-03

📋Vendor Advisories

2
Red Hat
lighttpd: bypass of rewrite/redirect rules using encoded urls2008-07-14
Debian
CVE-2008-4359: lighttpd - lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2)...2008

💬Community

5
Bugzilla
CVE-2008-4359 lighttpd: bypass of rewrite/redirect rules using encoded urls2008-10-06
Bugzilla
CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 lighttpd: multiple security issues [Fedora 8]2008-09-29
Bugzilla
CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 lighttpd: multiple security issues [epel-4]2008-09-29
Bugzilla
CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 lighttpd: multiple security issues [epel-5]2008-09-29
Bugzilla
CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 lighttpd: multiple security issues [Fedora 9]2008-09-29