CVE-2018-19052

Published: Nov 7, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.

Affected (13)

Products: Lighttpd: Lighttpd · Opensuse: Backports Sle, Leap · Suse: Suse Linux Enterprise Server · +1 more

Show all products

Lighttpd: Lighttpd · Opensuse: Backports Sle, Leap · Suse: Suse Linux Enterprise Server · Debian: Debian Linux

1 product

2 products

1 product

Suse Linux Enterprise Server

Debian

1 product

Debian Linux

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lighttpd Lighttpd	Before 1.4.50

Configuration B

11 vulnerable

Vulnerable Software	Affected Versions
Opensuse Backports Sle	Version 15.0
Opensuse Backports Sle	Version 15.0 sp1
Opensuse Leap	Version 15.0
Opensuse Leap	Version 15.1
Suse Suse Linux Enterprise Server	Version 11 sp3
Suse Suse Linux Enterprise Server	Version 11 sp4
Suse Suse Linux Enterprise Server	Version 12
Suse Suse Linux Enterprise Server	Version 12 sp1
Suse Suse Linux Enterprise Server	Version 12 sp2
Suse Suse Linux Enterprise Server	Version 12 sp3
Suse Suse Linux Enterprise Server	Version 12 sp4