CVE-2008-4359
Severity Score
7.5
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.
lighttpd versiones anteriores a v1.4.20 compara URIs con patrones en los ajustes de configuración (1) url.redirect y (2) url.rewrite antes de realizar la decodificación de URL, lo cual puede permitir a atacantes remotos evitar restricciones de acceso intencionado, y obtener información sensible o posiblemente modificar datos.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2008-09-30 CVE Reserved
- 2008-10-03 CVE Published
- 2024-08-07 CVE Updated
- 2024-10-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (24)
| URL | Tag | Source |
|---|---|---|
| http://openwall.com/lists/oss-security/2008/09/30/1 | Mailing List | |
| http://openwall.com/lists/oss-security/2008/09/30/2 | Mailing List | |
| http://openwall.com/lists/oss-security/2008/09/30/3 | Mailing List | |
| http://secunia.com/advisories/32069 | Third Party Advisory | |
| http://secunia.com/advisories/32132 | Third Party Advisory | |
| http://secunia.com/advisories/32480 | Third Party Advisory | |
| http://secunia.com/advisories/32834 | Third Party Advisory | |
| http://secunia.com/advisories/32972 | Third Party Advisory | |
| http://wiki.rpath.com/Advisories:rPSA-2008-0309 | Third Party Advisory | |
| http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309 | Third Party Advisory | |
| http://www.securityfocus.com/archive/1/497932/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/31599 | Third Party Advisory | |
| http://www.vupen.com/english/advisories/2008/2741 | Third Party Advisory | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/45690 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch | 2018-11-29 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html | 2018-11-29 | |
| http://security.gentoo.org/glsa/glsa-200812-04.xml | 2018-11-29 | |
| http://trac.lighttpd.net/trac/changeset/2278 | 2018-11-29 | |
| http://trac.lighttpd.net/trac/changeset/2307 | 2018-11-29 | |
| http://trac.lighttpd.net/trac/changeset/2309 | 2018-11-29 | |
| http://trac.lighttpd.net/trac/changeset/2310 | 2018-11-29 | |
| http://trac.lighttpd.net/trac/ticket/1720 | 2018-11-29 | |
| http://www.debian.org/security/2008/dsa-1645 | 2018-11-29 | |
| http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt | 2018-11-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Lighttpd Search vendor "Lighttpd" | Lighttpd Search vendor "Lighttpd" for product "Lighttpd" | < 1.4.20 Search vendor "Lighttpd" for product "Lighttpd" and version " < 1.4.20" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 4.0 Search vendor "Debian" for product "Debian Linux" and version "4.0" | - |
Affected
| ||||||