Julien Cayzac

**Name of the Vulnerable Software and Affected Versions** lighttpd versions 1.4.18 and earlier **Description** The issue allows remote attackers to read arbitrary files. This is demonstrated by accessing the ~nobody directory when the userdir.path is not set, and the default of $HOME is used. **Recommendations** For lighttpd versions 1.4.18 and earlier, set the userdir.path to prevent the use of the default $HOME directory, which could allow remote attackers to read arbitrary files.