PT-2014-9114 · Opensuse+3 · Lighttpd+2

Published

1970-01-01

Updated

2024-06-15

CVE-2014-2324

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions lighttpd versions prior to 1.4.35

Description The issue concerns multiple vulnerabilities in the lighttpd package of the openSUSE operating system, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The vulnerabilities include multiple directory traversal issues in mod evhost and mod simple vhost, allowing remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request check hostname.

Recommendations For lighttpd versions prior to 1.4.35, update to version 1.4.35 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable modules mod evhost and mod simple vhost until a patch is available. Avoid using the host name parameter in the affected API endpoints until the issue is resolved.

Exploit

Fix

Path traversal

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-89

Related Identifiers

ALT-PU-2014-1428

BDU:2015-05887

BDU:2015-05888

BDU:2015-05889

BDU:2015-05890

BDU:2015-05891

BDU:2015-05892

BDU:2015-05893

BDU:2015-05894

BDU:2015-05895

BDU:2015-05896

BDU:2015-05897

BDU:2015-05898

BDU:2015-05899

CVE-2014-2324

DSA-2877-1

MGASA-2014-0133

OPENSUSE-SU-2014_0449-1

OPENSUSE-SU-2014_0496-1

OPENSUSE-SU-2024:10402-1

Affected Products

Alt Linux

Lighttpd

Suse

PT-2014-9114 · Opensuse+3 · Lighttpd+2

CVE-2014-2324

Weakness Enumeration

Related Identifiers

Affected Products

References · 60