CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2008-4359
https://notcve.org/view.php?id=CVE-2008-4359
03 Oct 2008 — lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data. lighttpd versiones anteriores a v1.4.20 compara URIs con patrones en los ajustes de configuración (1) url.redirect y (2) url.rewrite antes de realizar la decodificación de URL, lo cual puede permitir a atacantes remotos evitar rest... • http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 1%CPEs: 2EXPL: 0CVE-2008-4360
https://notcve.org/view.php?id=CVE-2008-4360
03 Oct 2008 — mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files. mod_userdir de lighttpd versiones anteriores a v1.4.20, cuando un sistema operativo insensible a mayúsculas o minúsculas o sistemas de ficheros son utili... • http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 2%CPEs: 54EXPL: 0CVE-2008-4298
https://notcve.org/view.php?id=CVE-2008-4298
27 Sep 2008 — Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers. Fugas de memoria en la función http_request_parse en request.c en lighttpd anteriores a v1.4.20 permite a atacantes remotos causar denegación de servicio (corrupción de memoria) a través de un gran número de peticiones con cabeceras de peticiones duplicadas. • http://bugs.gentoo.org/show_bug.cgi?id=238180 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 2%CPEs: 3EXPL: 0CVE-2008-1531
https://notcve.org/view.php?id=CVE-2008-1531
27 Mar 2008 — The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost. La función connection_state_machine (connections.c) en lighttpd versión 1.4.19 y anteriores, y versión 1.5.x anterior a 1.5.0, permite a los atacantes remotos generar una denegación de s... • http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html •
CVSS: 7.5EPSS: 8%CPEs: 1EXPL: 2CVE-2008-1270 – Lighttpd 1.4.x - mod_userdir Information Disclosure
https://notcve.org/view.php?id=CVE-2008-1270
10 Mar 2008 — mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory. mod_userdir en lighttpd 1.4.18 y anteriores, cuando no está establecido el userdir.path usa un $HOME por defecto, que podría permitir a atacantes remotos leer ficheros de su elección como se ha demostrado accediendo al directorio ~nobody. • https://www.exploit-db.com/exploits/31396 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 21%CPEs: 1EXPL: 0CVE-2007-4727
https://notcve.org/view.php?id=CVE-2007-4727
12 Sep 2007 — Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18 allows remote attackers to overwrite arbitrary CGI variables and execute arbitrary code via an HTTP request with a long content length, as demonstrated by overwriting the SCRIPT_FILENAME variable, aka a "header overflow." Desbordamiento de búfer en la función fcgi_env_add de mod_proxy_backend_fastcgi.c en la extensión mod_fastcgi en lighttpd anterior a 1.4.18 permite a atacantes... • http://fedoranews.org/updates/FEDORA-2007-213.shtml • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 0CVE-2007-3946
https://notcve.org/view.php?id=CVE-2007-3946
24 Jul 2007 — mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header. mod_auth (http_auth.c) en lighttpd anterior a 1.4.16 permite a atacantes remotos provocar denegación de servicio (caida de demonio) a través de vectores no especificados afectando a (1)una debilidad de memoria, (2)utiliza... • http://osvdb.org/38314 •
CVSS: 7.5EPSS: 12%CPEs: 1EXPL: 1CVE-2007-3947 – Lighttpd 1.4.15 - Multiple Code Execution / Denial of Service / Information Disclosure Vulnerabilities
https://notcve.org/view.php?id=CVE-2007-3947
24 Jul 2007 — request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fault. request.c en lighttpd 1.4.15 permite a atacantes remotos provocar denegación de servicio (caida de demonio) a través del envío de una respuesta HTTP con cabeceras duplicadas, como se demostró con una respuesta que contiene dos lineas de cabecera Location, el... • https://www.exploit-db.com/exploits/30322 •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2007-3948
https://notcve.org/view.php?id=CVE-2007-3948
24 Jul 2007 — connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts. connections.c en lighttpd anterior 1.4.16 podría aceptar mas conexiones que el máximo configurado, lo cual permite a atacantes remotos provocar denegación de servicio (fallo de afirmación) a través de un gran número de intentos de conexión. • http://osvdb.org/38312 •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3949
https://notcve.org/view.php?id=CVE-2007-3949
24 Jul 2007 — mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings. mod_access.c en lighttpd 1.4.15 ignora los caracteres / barra invertida (slash) en la URL, lo cual permite a atacantes remotos evitar configuraciones de url.access-deny. • http://osvdb.org/38311 •