CVE-2018-19792

MEDIUM

LiteSpeed OpenLiteSpeed <1.5.0 RC6 - Buffer Overflow

Title source: llm
STIX 2.1

Description

The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 allows local users to cause a denial of service (buffer overflow) or possibly have unspecified other impact by creating a symlink through which the openlitespeed program can be invoked with a long command name (involving ../ characters), which is mishandled in the LshttpdMain::getServerRootFromExecutablePath function.

References (1)

Core 1
Core References
Exploit, Vendor Advisory x_refsource_misc
https://github.com/litespeedtech/openlitespeed/issues/117

Scores

CVSS v3 6.7
EPSS 0.0043
EPSS Percentile 34.3%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (2)
litespeedtech/openlitespeed 1.5.0 rc1 (5 CPE variants)
litespeedtech/openlitespeed < 1.4.41
Published Dec 03, 2018
Tracked Since Feb 18, 2026