CVE-2019-11072

CRITICAL

Lighttpd < 1.4.53 - Integer Overflow

Title source: rule

Description

lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit.

References (3)

Core 3

Core References

Exploit, Patch, Third Party Advisory x_refsource_misc

https://redmine.lighttpd.net/issues/2945

Patch, Third Party Advisory x_refsource_misc

https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354

View Patch ZIP pw:eip

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/107907

Scores

CVSS v3 9.8

EPSS 0.1208

EPSS Percentile 93.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-190

Status published

Products (1)

lighttpd/lighttpd < 1.4.53

Published Apr 10, 2019

Tracked Since Feb 18, 2026