A vulnerability in lighttpd could allow an unauthenticated, remote attacker to conduct a path traversal attack on a targeted system.
The vulnerability is due to insufficient sanitization of user-supplied input by the mod_alias_physical_handler function, as defined in the mod_alias source code file of the affected software. An attacker could exploit this vulnerability by passing crafted URL requests to the targeted system. A successful exploit could lead to a path traversal condition, allowing an attacker to access arbitrary files on the targeted system.
The vendor has confirmed the vulnerability and released updated software.
Security Impact Rating: High