CVE-2008-4359
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
83.8%
lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| lighttpd | lighttpd | * | cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:* |
| debian | debian_linux | 4.0 | cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:* |
References
lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
openwall.com/lists/oss-security/2008/09/30/1
openwall.com/lists/oss-security/2008/09/30/2
openwall.com/lists/oss-security/2008/09/30/3
secunia.com/advisories/32069
secunia.com/advisories/32132
secunia.com/advisories/32480
secunia.com/advisories/32834
secunia.com/advisories/32972
security.gentoo.org/glsa/glsa-200812-04.xml
trac.lighttpd.net/trac/changeset/2278
trac.lighttpd.net/trac/changeset/2307
trac.lighttpd.net/trac/changeset/2309
trac.lighttpd.net/trac/changeset/2310
trac.lighttpd.net/trac/ticket/1720
wiki.rpath.com/Advisories:rPSA-2008-0309
wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
www.debian.org/security/2008/dsa-1645
www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch
www.lighttpd.net/security/lighttpd_sa_2008_05.txt
www.securityfocus.com/archive/1/497932/100/0/threaded
www.securityfocus.com/bid/31599
www.vupen.com/english/advisories/2008/2741
exchange.xforce.ibmcloud.com/vulnerabilities/45690
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
83.8%