Skip to main content

Lighttpd CVE-2014-2324

MEDIUM
Path Traversal (CWE-22)
2014-03-14 cve@mitre.org
5.0
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:L/Au:N/C:P/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Confidentiality
P
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 14, 2014 - 15:55 cve.org
MEDIUM 5.0

DescriptionCVE.org

Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname.

AnalysisAI

Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 71.7%.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname. Affected products include: Lighttpd, Debian Debian Linux, Opensuse, Suse Linux Enterprise High Availability Extension, Suse Linux Enterprise Software Development Kit. Version information: before 1.4.35.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2014-2323 CRITICAL POC
9.8 Mar 14

SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary

CVE-2012-5533 MEDIUM POC
5.0 Nov 24

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial o

CVE-2015-3200 HIGH POC
7.5 Jun 09

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authenticati

CVE-2019-11072 CRITICAL POC
9.8 Apr 10

lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (a

CVE-2013-4508 HIGH POC
7.5 Nov 08

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to

CVE-2022-41556 HIGH POC
7.5 Oct 06

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exh

CVE-2022-37797 HIGH POC
7.5 Sep 12

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket ha

CVE-2022-30780 HIGH POC
7.5 Jun 11

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connect

CVE-2018-19052 HIGH POC
7.5 Nov 07

An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. Rated high severity (CVS

CVE-2013-4559 HIGH
7.6 Nov 20

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which

CVE-2013-4560 MEDIUM
5.0 Nov 20

Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentatio

CVE-2013-1427 LOW
1.9 Mar 21

The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file

Share

CVE-2014-2324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy