http://www.securityfocus.com/bid/107907

https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354

https://redmine.lighttpd.net/issues/2945

MITRE disputed

** DISPUTED ** lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the

lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e

lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c.

** DISPUTED ** lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the

http://www.securityfocus.com/bid/107907 No Types Assigned

http://www.securityfocus.com/bid/107907 Third Party Advisory, VDB Entry

https://redmine.lighttpd.net/issues/2945 Exploit, Third Party Advisory

https://redmine.lighttpd.net/issues/2945 Exploit, Patch, Third Party Advisory

http://www.securityfocus.com/bid/107907 [No Types Assigned]

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

CWE-190

OR
     *cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:* versions up to (including) 1.4.53

https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354 No Types Assigned

https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354 Patch, Third Party Advisory

https://redmine.lighttpd.net/issues/2945 No Types Assigned

https://redmine.lighttpd.net/issues/2945 Exploit, Third Party Advisory