CVE-2014-2324

Name of the Vulnerable Software and Affected Versions lighttpd versions prior to 1.4.35

Description The issue concerns multiple vulnerabilities in the lighttpd package of the openSUSE operating system, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The vulnerabilities include multiple directory traversal issues in mod evhost and mod simple vhost, allowing remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request check hostname.

Recommendations For lighttpd versions prior to 1.4.35, update to version 1.4.35 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable modules mod evhost and mod simple vhost until a patch is available. Avoid using the host name parameter in the affected API endpoints until the issue is resolved.