lighttpd mod_alias_physical_handler Function Path Traversal Vulnerability

By GIXnews

A vulnerability in lighttpd could allow an unauthenticated, remote attacker to conduct a path traversal attack on a targeted system.

The vulnerability is due to insufficient sanitization of user-supplied input by the mod_alias_physical_handler function, as defined in the mod_alias source code file of the affected software. An attacker could exploit this vulnerability by passing crafted URL requests to the targeted system. A successful exploit could lead to a path traversal condition, allowing an attacker to access arbitrary files on the targeted system.

The vendor has confirmed the vulnerability and released updated software.

Security Impact Rating: High

CVE: CVE-2018-19052

Source:: Cisco Multivendor Vulnerability Alerts