Detections
Analytics

lighttpd < 1.4.24 Information Disclosure

medium Nessus Network Monitor Plugin ID 5035

Synopsis

The remote host is vulnerable to a flaw which allows attackers to retrieve sensitive files or data

Description

According to its banner, the version of lighttpd installed on the remote host is older than 1.4.24. Such versions may be affected by an information-disclosure vulnerability. Specifically, Lighttpd does not correctly handle a file name which has a trailing '\'. An attacker, exploiting this flaw, can request any file within the web root to download or view. This may lead to the loss of condidential data.

Solution

Update lighttpd to version 1.4.24 or later.

See Also

http://www.lighttpd.net

Plugin Details

Severity: Medium

ID: 5035

Family: Web Servers

Published: 8/18/2004

Updated: 3/6/2019

Nessus ID: 39006

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:lighttpd:lighttpd

Reference Information

BID: 35097