CVE-2014-2324

Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname.

Published: Mar 14, 2014
Updated: Apr 13, 2023
CVE: CVE-2014-2324
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
lighttpd / lighttpd	-	1.4.35
debian / debian_linux	8.0	8.0.x
debian / debian_linux	7.0	7.0.x
debian / debian_linux	6.0	6.0.x
opensuse / opensuse	12.3	12.3.x
suse / linux_enterprise_software_development_kit	11-sp3	11-sp3.x
opensuse / opensuse	11.4	11.4.x
opensuse / opensuse	13.1	13.1.x
suse / linux_enterprise_high_availability_extension	11-sp3	11-sp3.x
contec / sv-cpt-mc310_firmware	-	6.5

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt
http://jvn.jp/en/jp/JVN37417423/index.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html
http://marc.info/?l=bugtraq&m=141576815022399&w=2
http://seclists.org/oss-sec/2014/q1/561
http://seclists.org/oss-sec/2014/q1/564
http://secunia.com/advisories/57404
http://secunia.com/advisories/57514
http://www.debian.org/security/2014/dsa-2877
http://www.lighttpd.net/2014/3/12/1.4.35/
http://www.securityfocus.com/bid/66157

Vulnerability Database

CVE-2014-2324

Deep Security Visibility Without the Complexity