CVE-2018-19052Path Traversal in Lighttpd

CWE-22Path Traversal9 documents7 sources
Severity
7.5HIGHNVD
EPSS
58.2%
top 1.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
LighttpdDebian LinuxOpensuse Backports SLE+2 more
Timeline
PublishedNov 7
Latest updateMay 13

Description

An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDlighttpd/lighttpd< 1.4.50
Debianlighttpd/lighttpd< 1.4.52-1+3
NVDopensuse/leap15.0, 15.1+1

Also affects: Debian Linux 9.0

🔴Vulnerability Details

4
GHSA
GHSA-f959-jhqc-rqpv: An issue was discovered in mod_alias_physical_handler in mod_alias2022-05-13
OSV
lighttpd vulnerabilities2021-03-15
OSV
CVE-2018-19052: An issue was discovered in mod_alias_physical_handler in mod_alias2018-11-07
CVEList
CVE-2018-19052: An issue was discovered in mod_alias_physical_handler in mod_alias2018-11-07

📋Vendor Advisories

2
Ubuntu
Lighttpd vulnerabilities2021-03-15
Debian
CVE-2018-19052: lighttpd - An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd...2018

💬Community

2
Bugzilla
CVE-2018-19052 lighttpd: path traversal in mod_alias_physical_handler in mod_alias.c2018-11-12
Bugzilla
CVE-2018-19052 lighttpd: path traversal in mod_alias_physical_handler in mod_alias.c [epel-6]2018-11-12
CVE-2018-19052 — Path Traversal in Lighttpd | cvebase