CVE-2007-3949 : mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL

mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings.

Published 2007-07-24 00:30:00

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2007-3949

Lighttpd » Lighttpd
Versions up to, including, (<=) 1.4.15
cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*
Matching versions

Top countries where our scanners detected CVE-2007-3949

Top open port discovered on systems with this issue 80

IPs affected by CVE-2007-3949 4,314

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2007-3949!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

EPSS FAQ

0.50%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 63 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.3	HIGH	AV:N/AC:M/Au:N/C:P/I:P/A:C	8.6	8.5	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Complete

Jump to