CVE-2018-19052

Name of the Vulnerable Software and Affected Versions: lighttpd versions prior to 1.4.50

Description: An issue was discovered in mod alias physical handler in mod alias.c, allowing potential ../ path traversal of a single directory above an alias target. This occurs with a specific mod alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character. The vulnerability can be exploited by a remote attacker to access confidential data.

Recommendations: For versions prior to 1.4.50, update to version 1.4.50 or later to resolve the issue. As a temporary workaround, consider modifying the mod alias configuration to ensure that the matched alias includes a trailing '/' character, or restrict access to the alias target filesystem path to minimize the risk of exploitation.