CVE-2018-19052

high-risk

Published 2018-11-07

An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.

Do I need to act?

58.2% chance of exploitation in next 30 days

EPSS score — higher than 42% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (13)

Lighttpd

Backports Sle

Leap

Suse Linux Enterprise Server

Debian Linux

Affected Vendors

Debian Suse Lighttpd Opensuse

References (6)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00054.html

Exploit https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb1653...

Mailing List https://lists.debian.org/debian-lts-announce/2022/01/msg00012.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00054.html

Exploit https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb1653...

Mailing List https://lists.debian.org/debian-lts-announce/2022/01/msg00012.html

/ 100

high-risk

Severity 26/34 · High

Exploitability 18/34 · Moderate

Exposure 17/34 · Moderate