Description
An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.
Exploits (1)
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_misc
https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00054.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/01/msg00012.html
Scores
CVSS v3
7.5
EPSS
0.5817
EPSS Percentile
98.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (7)
debian/debian_linux
9.0
lighttpd/lighttpd
< 1.4.50
opensuse/backports_sle
15.0 (2 CPE variants)
opensuse/leap
15.0
opensuse/leap
15.1
suse/suse_linux_enterprise_server
11 sp3 (2 CPE variants)
suse/suse_linux_enterprise_server
12 (5 CPE variants)
Published
Nov 07, 2018
Tracked Since
Feb 18, 2026