Vulnerability Details : CVE-2008-4359
lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.
Vulnerability category: Information leak
Threat overview for CVE-2008-4359
Top countries where our scanners detected CVE-2008-4359
Top open port discovered on systems with this issue
80
IPs affected by CVE-2008-4359 76,709
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2008-4359!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2008-4359
Probability of exploitation activity in the next 30 days: 1.01%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 82 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2008-4359
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2008-4359
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2008-4359
-
http://wiki.rpath.com/Advisories:rPSA-2008-0309
Third Party Advisory
-
http://www.vupen.com/english/advisories/2008/2741
Third Party Advisory
-
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
Third Party Advisory
-
http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch
Patch;Vendor Advisory
-
http://www.securityfocus.com/archive/1/497932/100/0/threaded
Third Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2008:026 - openSUSE Security Announce - openSUSE Mailing ListsThird Party Advisory
-
http://trac.lighttpd.net/trac/changeset/2307
Broken Link;Vendor Advisory
-
http://openwall.com/lists/oss-security/2008/09/30/3
Mailing List
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/45690
Third Party Advisory;VDB Entry
-
http://security.gentoo.org/glsa/glsa-200812-04.xml
Third Party Advisory
-
http://trac.lighttpd.net/trac/ticket/1720
Vendor Advisory
-
http://trac.lighttpd.net/trac/changeset/2310
Broken Link;Vendor Advisory
-
http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
Vendor Advisory
-
http://trac.lighttpd.net/trac/changeset/2278
Broken Link;Vendor Advisory
-
http://trac.lighttpd.net/trac/changeset/2309
Broken Link;Vendor Advisory
-
http://www.securityfocus.com/bid/31599
Third Party Advisory;VDB Entry
-
http://openwall.com/lists/oss-security/2008/09/30/2
Mailing List
-
http://openwall.com/lists/oss-security/2008/09/30/1
Mailing List
-
http://www.debian.org/security/2008/dsa-1645
Third Party Advisory
Products affected by CVE-2008-4359
- cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*