CVE-2014-2324

2014-03-1415:55:00

CWE-22

[email protected]

web.nvd.nist.gov

258

cve-2014-2324

directory traversal

mod_evhost

mod_simple_vhost

lighttpd

nvd

vulnerability

9.2 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.956 High

EPSS

Percentile

99.4%

JSON

Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a … (dot dot) in the host name, related to request_check_hostname.

CPENameOperatorVersion
lighttpd:lighttpdlighttpdlt1.4.35
debian:debian_linuxdebian debian linuxeq8.0
debian:debian_linuxdebian debian linuxeq7.0
debian:debian_linuxdebian debian linuxeq6.0
opensuse:opensuseopensuseeq12.3
suse:linux_enterprise_software_development_kitsuse linux enterprise software development kiteq11
opensuse:opensuseopensuseeq11.4
opensuse:opensuseopensuseeq13.1
suse:linux_enterprise_high_availability_extensionsuse linux enterprise high availability extensioneq11
contec:sv-cpt-mc310_firmwarecontec sv-cpt-mc310 firmwarelt6.5

CPE	Name	Operator	Version
lighttpd:lighttpd	lighttpd	lt	1.4.35
debian:debian_linux	debian debian linux	eq	8.0
debian:debian_linux	debian debian linux	eq	7.0
debian:debian_linux	debian debian linux	eq	6.0
opensuse:opensuse	opensuse	eq	12.3
suse:linux_enterprise_software_development_kit	suse linux enterprise software development kit	eq	11
opensuse:opensuse	opensuse	eq	11.4
opensuse:opensuse	opensuse	eq	13.1
suse:linux_enterprise_high_availability_extension	suse linux enterprise high availability extension	eq	11
contec:sv-cpt-mc310_firmware	contec sv-cpt-mc310 firmware	lt	6.5