CVSS: 5.0EPSS: 2%CPEs: 1EXPL: 2CVE-2008-1270 – Lighttpd 1.4.x - mod_userdir Information Disclosure
https://notcve.org/view.php?id=CVE-2008-1270
mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory. mod_userdir en lighttpd 1.4.18 y anteriores, cuando no está establecido el userdir.path usa un $HOME por defecto, que podría permitir a atacantes remotos leer ficheros de su elección como se ha demostrado accediendo al directorio ~nobody. • https://www.exploit-db.com/exploits/31396 http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html http://secunia.com/advisories/29318 http://secunia.com/advisories/29403 http://secunia.com/advisories/29622 http://secunia.com/advisories/29636 http://security.gentoo.org/glsa/glsa-200804-08.xml http://trac.lighttpd.net/trac/ticket/1587 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106 http://www.debian.org/security/2008/dsa-1521 http://www.lighttpd. • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2008-1111
https://notcve.org/view.php?id=CVE-2008-1111
mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information. El mod_cgi en lighttpd versión 1.4.18, envía el código fuente de los scripts CGI en lugar de un error 500 cuando ocurre un fallo de bifurcación, lo que podría permitir a los atacantes remotos obtener información confidencial. • http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html http://secunia.com/advisories/29209 http://secunia.com/advisories/29235 http://secunia.com/advisories/29268 http://secunia.com/advisories/29275 http://secunia.com/advisories/29318 http://secunia.com/advisories/29622 http://security.gentoo.org/glsa/glsa-200803-10.xml http://trac.lighttpd.net/trac/changeset/2107 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106 http://www.debian.org/security/2008/d • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 10%CPEs: 12EXPL: 0CVE-2008-0983
https://notcve.org/view.php?id=CVE-2008-0983
lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access. lighttpd 1.4.18 y posiblemente otras versiones anteriores a la 1.5.0, no calcula correctamente el tamaño del array descriptor de archivos, lo que permite a atacantes remotos provocar una denegación de servicio (caída) a través de un gran número de conexiones, lo cual dispara un acceso fuera de límite. • http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html http://secunia.com/advisories/29066 http://secunia.com/advisories/29166 http://secunia.com/advisories/29209 http://secunia.com/advisories/29268 http://secunia.com/advisories/29622 http://secunia.com/advisories/31104 http://security.gentoo.org/glsa/glsa-200803-10.xml http://trac.lighttpd.net/trac/ticket/1562 http://wiki.rpath.com/Advisories:rPSA-2008-0084 http://www.debian.org/security/2008/dsa-1609&# • CWE-399: Resource Management Errors •