VDB

CVE-2019-11072

CVE-2019-11072 PUBLISHED CVSS 7.5 HIGH

lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit.

EPSS 12.08% · 93.9th percentile

Risk Scores

CVSS 2.0
7.5
EPSS Score
12.08%
93.9th percentile

Affected Products

VendorProductVersions
lighttpdlighttpd0
n/an/an/a

Timeline

  • Apr 9, 2019 CVE Published
  • Apr 14, 2021 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • Feb 14, 2024 EPSS Score
  • Apr 21, 2024 EPSS Score
  • May 8, 2024 EPSS Score
  • Dec 17, 2024 EPSS Score
  • Mar 21, 2025 EPSS Score
  • Mar 22, 2025 EPSS Score
  • Apr 17, 2025 EPSS Score
  • May 4, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›