CVE-2008-4360Sensitive Information Exposure in Lighttpd

CWE-200Sensitive Information Exposure10 documents6 sources
Severity
7.5HIGHNVD
EPSS
1.0%
top 22.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LighttpdDebian LighttpdDebian Linux
Timeline
PublishedOct 3
Latest updateMay 2

Description

mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

debiandebian/lighttpd< lighttpd 1.4.19-5 (bookworm)
NVDlighttpd/lighttpd< 1.4.20
Debianlighttpd/lighttpd< 1.4.19-5+3

Also affects: Debian Linux 4.0

Patches

Patch: trac.lighttpd.netPatch: www.lighttpd.netPatch: www.lighttpd.net

🔴Vulnerability Details

2
GHSA
GHSA-73r4-8h5j-2cjg: mod_userdir in lighttpd before 12022-05-02
OSV
CVE-2008-4360: mod_userdir in lighttpd before 12008-10-03

📋Vendor Advisories

2
Red Hat
lighttpd: mod_userdir information disclosure on case-insensitve filesystems2008-03-11
Debian
CVE-2008-4360: lighttpd - mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system ...2008

💬Community

5
Bugzilla
CVE-2008-4360 lighttpd: mod_userdir information disclosure on case-insensitve filesystems2008-10-06
Bugzilla
CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 lighttpd: multiple security issues [Fedora 8]2008-09-29
Bugzilla
CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 lighttpd: multiple security issues [epel-4]2008-09-29
Bugzilla
CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 lighttpd: multiple security issues [epel-5]2008-09-29
Bugzilla
CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 lighttpd: multiple security issues [Fedora 9]2008-09-29