CVE-2018-19052
published 2018-11-07CVE-2018-19052: An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory…
high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | lighttpd | < lighttpd 1.4.52-1 (bookworm) | lighttpd 1.4.52-1 (bookworm) |
| lighttpd | lighttpd | < 1.4.50 | 1.4.50 |
| lighttpd | lighttpd | >= 0 < 1.4.52-1 | 1.4.52-1 |
| lighttpd | lighttpd | >= 0 < 1.4.52-1 | 1.4.52-1 |
| lighttpd | lighttpd | >= 0 < 1.4.52-1 | 1.4.52-1 |
| lighttpd | lighttpd | >= 0 < 1.4.52-1 | 1.4.52-1 |
| lighttpd | lighttpd | >= 0 < 1.4.33-1+nmu2ubuntu2.1+esm1 | 1.4.33-1+nmu2ubuntu2.1+esm1 |
| lighttpd | lighttpd | >= 0 < 1.4.35-4ubuntu2.1+esm1 | 1.4.35-4ubuntu2.1+esm1 |
| lighttpd | lighttpd | >= 0 < 1.4.45-1ubuntu3.18.04.1+esm1 | 1.4.45-1ubuntu3.18.04.1+esm1 |
| opensuse | backports_sle | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| suse | suse_linux_enterprise_server | — | — |
| suse | suse_linux_enterprise_server | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH