cbcvebase.
CVE-2019-11072
published 2019-04-10

CVE-2019-11072: lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have…

PriorityP358critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
73.76%
99.4th percentile
lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianlighttpd< lighttpd 1.4.53-4 (bookworm)lighttpd 1.4.53-4 (bookworm)
lighttpdlighttpd<= 1.4.53
lighttpdlighttpd>= 0 < 1.4.53-41.4.53-4
lighttpdlighttpd>= 0 < 1.4.53-41.4.53-4
lighttpdlighttpd>= 0 < 1.4.53-41.4.53-4
lighttpdlighttpd>= 0 < 1.4.53-41.4.53-4

Detection & IOCsextracted from sources · hover to see the quote

url/%2F?
commandserver.http-parseopts = ( "url-path-2f-decode" => "enable" )
  • Trigger condition: the vulnerability is only exploitable when the lighttpd config explicitly enables 'url-path-2f-decode'. Monitor for this option being set in lighttpd.conf.
  • Detect malicious HTTP GET requests containing percent-encoded forward slash sequences (e.g. %2F) in the URL path, particularly targeting lighttpd 1.4.50–1.4.53 with url-path-2f-decode enabled.
  • Affected version range is lighttpd 1.4.50 through 1.4.53; the crash manifests as an abort() call followed by application exit — monitor for unexpected lighttpd process termination.
  • ·The vulnerable feature ('url-path-2f-decode') is NOT enabled by default in lighttpd 1.4.50–1.4.53; the CVE only applies if explicitly configured. It becomes enabled by default starting in 1.4.54.
  • ·If the RedHat/Fedora lighttpd packages did not explicitly enable 'url-path-2f-decode', the CVE does not apply and the issue can be closed.
  • ·The vulnerability can be mitigated (without patching) by disabling or commenting out the url-path-2f-decode option in lighttpd.conf.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.