CVE-2018-19792

Name of the Vulnerable Software and Affected Versions OpenLiteSpeed versions prior to 1.5.0 RC6

Description The issue allows local users to cause a denial of service or possibly have other unspecified impacts by creating a symlink that invokes the openlitespeed program with a long command name, which is mishandled in the LshttpdMain::getServerRootFromExecutablePath function.

Recommendations For versions prior to 1.5.0 RC6, update to version 1.5.0 RC6 or later to resolve the issue. As a temporary workaround, consider restricting the ability to create symlinks that could invoke the openlitespeed program with a long command name.