CVE-2019-11072
published 2019-04-10CVE-2019-11072: lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have…
PriorityP358critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
73.76%
99.4th percentile
lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | lighttpd | < lighttpd 1.4.53-4 (bookworm) | lighttpd 1.4.53-4 (bookworm) |
| lighttpd | lighttpd | <= 1.4.53 | — |
| lighttpd | lighttpd | >= 0 < 1.4.53-4 | 1.4.53-4 |
| lighttpd | lighttpd | >= 0 < 1.4.53-4 | 1.4.53-4 |
| lighttpd | lighttpd | >= 0 < 1.4.53-4 | 1.4.53-4 |
| lighttpd | lighttpd | >= 0 < 1.4.53-4 | 1.4.53-4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: the vulnerability is only exploitable when the lighttpd config explicitly enables 'url-path-2f-decode'. Monitor for this option being set in lighttpd.conf. ↗
- →Detect malicious HTTP GET requests containing percent-encoded forward slash sequences (e.g. %2F) in the URL path, particularly targeting lighttpd 1.4.50–1.4.53 with url-path-2f-decode enabled. ↗
- →Affected version range is lighttpd 1.4.50 through 1.4.53; the crash manifests as an abort() call followed by application exit — monitor for unexpected lighttpd process termination. ↗
- ·The vulnerable feature ('url-path-2f-decode') is NOT enabled by default in lighttpd 1.4.50–1.4.53; the CVE only applies if explicitly configured. It becomes enabled by default starting in 1.4.54. ↗
- ·If the RedHat/Fedora lighttpd packages did not explicitly enable 'url-path-2f-decode', the CVE does not apply and the issue can be closed. ↗
- ·The vulnerability can be mitigated (without patching) by disabling or commenting out the url-path-2f-decode option in lighttpd.conf. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2019-11072: lighttpd - lighttpd before 1.4.54 has a signed integer overflow, which might allow remote a...
vendor_debian·2019·CVSS 9.8
CVE-2019-11072 [CRITICAL] CVE-2019-11072: lighttpd - lighttpd before 1.4.54 has a signed integer overflow, which might allow remote a...
lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyon
GHSA
GHSA-59gp-rjv5-p2h6: ** DISPUTED ** lighttpd before 1
ghsa_unreviewed·2022-05-14
CVE-2019-11072 [CRITICAL] CWE-190 GHSA-59gp-rjv5-p2h6: ** DISPUTED ** lighttpd before 1
** DISPUTED ** lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not ex
OSV
CVE-2019-11072: lighttpd before 1
osv·2019-04-10·CVSS 9.8
CVE-2019-11072 [CRITICAL] CVE-2019-11072: lighttpd before 1
lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyon
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-11072 lighttpd: signed integer overflow causing denial of service [fedora-all]
bugzilla·2019-04-15·CVSS 9.8
CVE-2019-11072 [CRITICAL] CVE-2019-11072 lighttpd: signed integer overflow causing denial of service [fedora-all]
CVE-2019-11072 lighttpd: signed integer overflow causing denial of service [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
Bugzilla
CVE-2019-11072 lighttpd: signed integer overflow causing denial of service
bugzilla·2019-04-15·CVSS 9.8
CVE-2019-11072 [CRITICAL] CVE-2019-11072 lighttpd: signed integer overflow causing denial of service
CVE-2019-11072 lighttpd: signed integer overflow causing denial of service
lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c.
Reference:
https://redmine.lighttpd.net/issues/2945
Upstream commit:
https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354
Discussion:
Created lighttpd tracking bugs for this issue:
Affects: fedora-all [bug 1699733]
---
Created lighttpd tracking bugs for this issue:
Affects: epel-all [bug 1699734]
---
This CVE Bugzilla entry is for community support informational purposes only a
Bugzilla
CVE-2019-11072 lighttpd: signed integer overflow causing denial of service [epel-all]
bugzilla·2019-04-15·CVSS 9.8
CVE-2019-11072 [CRITICAL] CVE-2019-11072 lighttpd: signed integer overflow causing denial of service [epel-all]
CVE-2019-11072 lighttpd: signed integer overflow causing denial of service [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
http://www.securityfocus.com/bid/107907https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354https://redmine.lighttpd.net/issues/2945http://www.securityfocus.com/bid/107907https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354https://redmine.lighttpd.net/issues/2945
2019-04-10
Published