Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2008-4359

lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.

Published

2008-10-03T17:41:40.430

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	lighttpd	lighttpd	< 1.4.20	Yes
Operating System	debian	debian_linux	4.0	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html Third Party Advisory ([email protected])
http://openwall.com/lists/oss-security/2008/09/30/1 Mailing List ([email protected])
http://openwall.com/lists/oss-security/2008/09/30/2 Mailing List ([email protected])
http://openwall.com/lists/oss-security/2008/09/30/3 Mailing List ([email protected])
http://secunia.com/advisories/32069 Third Party Advisory ([email protected])
http://secunia.com/advisories/32132 Third Party Advisory ([email protected])
http://secunia.com/advisories/32480 Third Party Advisory ([email protected])
http://secunia.com/advisories/32834 Third Party Advisory ([email protected])
http://secunia.com/advisories/32972 Third Party Advisory ([email protected])
http://security.gentoo.org/glsa/glsa-200812-04.xml Third Party Advisory ([email protected])
http://trac.lighttpd.net/trac/changeset/2278 Broken Link, Vendor Advisory ([email protected])
http://trac.lighttpd.net/trac/changeset/2307 Broken Link, Vendor Advisory ([email protected])
http://trac.lighttpd.net/trac/changeset/2309 Broken Link, Vendor Advisory ([email protected])
http://trac.lighttpd.net/trac/changeset/2310 Broken Link, Vendor Advisory ([email protected])
http://trac.lighttpd.net/trac/ticket/1720 Vendor Advisory ([email protected])
http://wiki.rpath.com/Advisories:rPSA-2008-0309 Third Party Advisory ([email protected])
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309 Third Party Advisory ([email protected])
http://www.debian.org/security/2008/dsa-1645 Third Party Advisory ([email protected])
http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch Patch, Vendor Advisory ([email protected])
http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt Vendor Advisory ([email protected])
http://www.securityfocus.com/archive/1/497932/100/0/threaded Third Party Advisory, VDB Entry ([email protected])
http://www.securityfocus.com/bid/31599 Third Party Advisory, VDB Entry ([email protected])
http://www.vupen.com/english/advisories/2008/2741 Third Party Advisory ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/45690 Third Party Advisory, VDB Entry ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://openwall.com/lists/oss-security/2008/09/30/1 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://openwall.com/lists/oss-security/2008/09/30/2 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://openwall.com/lists/oss-security/2008/09/30/3 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/32069 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/32132 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/32480 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/32834 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/32972 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://security.gentoo.org/glsa/glsa-200812-04.xml Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://trac.lighttpd.net/trac/changeset/2278 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://trac.lighttpd.net/trac/changeset/2307 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://trac.lighttpd.net/trac/changeset/2309 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://trac.lighttpd.net/trac/changeset/2310 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://trac.lighttpd.net/trac/ticket/1720 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://wiki.rpath.com/Advisories:rPSA-2008-0309 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2008/dsa-1645 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/497932/100/0/threaded Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/31599 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/2741 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/45690 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)