CVE-2008-1111 - OpenCVE

mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Lighttpd	Lighttpd

Configuration 1 [-]

cpe:2.3:a:lighttpd:lighttpd:1.4.18:*:*:*:*:*:*:*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html
http://secunia.com/advisories/29209	Vendor Advisory
http://secunia.com/advisories/29235	Vendor Advisory
http://secunia.com/advisories/29268	Vendor Advisory
http://secunia.com/advisories/29275	Vendor Advisory
http://secunia.com/advisories/29318	Vendor Advisory
http://secunia.com/advisories/29622	Vendor Advisory
http://security.gentoo.org/glsa/glsa-200803-10.xml
http://trac.lighttpd.net/trac/changeset/2107
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106
http://www.debian.org/security/2008/dsa-1513
http://www.securityfocus.com/archive/1/489465/100/0/threaded
http://www.securityfocus.com/bid/28100
http://www.vupen.com/english/advisories/2008/0763	Vendor Advisory
https://bugs.gentoo.org/show_bug.cgi?id=211956
https://exchange.xforce.ibmcloud.com/vulnerabilities/41008
https://issues.rpath.com/browse/RPL-2326
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2008-03-04T23:00:00

Updated: 2018-10-11T19:57:01

Reserved: 2008-03-02T00:00:00

Link: CVE-2008-1111

JSON object: View

NVD Information

Status : Modified

Published: 2008-03-04T23:44:00.000

Modified: 2018-10-11T20:29:41.773

Link: CVE-2008-1111

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-03-02T00:00:00", "descriptions": [{"lang": "en", "value": "mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "29268", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29268"}, {"name": "29622", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29622"}, {"name": "ADV-2008-0763", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/0763"}, {"name": "29318", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29318"}, {"name": "SUSE-SR:2008:008", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"}, {"name": "29209", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29209"}, {"name": "DSA-1513", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2008/dsa-1513"}, {"name": "FEDORA-2008-2262", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"}, {"name": "28100", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/28100"}, {"name": "20080312 rPSA-2008-0106-1 lighttpd", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"}, {"name": "29275", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29275"}, {"name": "GLSA-200803-10", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"}, {"tags": ["x_refsource_MISC"], "url": "https://issues.rpath.com/browse/RPL-2326"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=211956"}, {"name": "FEDORA-2008-2278", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://trac.lighttpd.net/trac/changeset/2107"}, {"name": "29235", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29235"}, {"tags": ["x_refsource_MISC"], "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"}, {"name": "lighttpd-modcgi-information-disclosure(41008)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41008"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-1111", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "29268", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29268"}, {"name": "29622", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29622"}, {"name": "ADV-2008-0763", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/0763"}, {"name": "29318", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29318"}, {"name": "SUSE-SR:2008:008", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"}, {"name": "29209", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29209"}, {"name": "DSA-1513", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2008/dsa-1513"}, {"name": "FEDORA-2008-2262", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"}, {"name": "28100", "refsource": "BID", "url": "http://www.securityfocus.com/bid/28100"}, {"name": "20080312 rPSA-2008-0106-1 lighttpd", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"}, {"name": "29275", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29275"}, {"name": "GLSA-200803-10", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"}, {"name": "https://issues.rpath.com/browse/RPL-2326", "refsource": "MISC", "url": "https://issues.rpath.com/browse/RPL-2326"}, {"name": "https://bugs.gentoo.org/show_bug.cgi?id=211956", "refsource": "CONFIRM", "url": "https://bugs.gentoo.org/show_bug.cgi?id=211956"}, {"name": "FEDORA-2008-2278", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"}, {"name": "http://trac.lighttpd.net/trac/changeset/2107", "refsource": "CONFIRM", "url": "http://trac.lighttpd.net/trac/changeset/2107"}, {"name": "29235", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29235"}, {"name": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106", "refsource": "MISC", "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"}, {"name": "lighttpd-modcgi-information-disclosure(41008)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41008"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-1111", "datePublished": "2008-03-04T23:00:00", "dateReserved": "2008-03-02T00:00:00", "dateUpdated": "2018-10-11T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.18:*:*:*:*:*:*:*", "matchCriteriaId": "DA46E89A-565E-439D-BCB2-6CEE44EFDFAC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information."}, {"lang": "es", "value": "El mod_cgi en lighttpd versi\u00f3n 1.4.18, env\u00eda el c\u00f3digo fuente de los scripts CGI en lugar de un error 500 cuando ocurre un fallo de bifurcaci\u00f3n, lo que podr\u00eda permitir a los atacantes remotos obtener informaci\u00f3n confidencial."}], "id": "CVE-2008-1111", "lastModified": "2018-10-11T20:29:41.773", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-03-04T23:44:00.000", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29209"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29235"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29268"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29275"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29318"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29622"}, {"source": "cve@mitre.org", "url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"}, {"source": "cve@mitre.org", "url": "http://trac.lighttpd.net/trac/changeset/2107"}, {"source": "cve@mitre.org", "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2008/dsa-1513"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/28100"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2008/0763"}, {"source": "cve@mitre.org", "url": "https://bugs.gentoo.org/show_bug.cgi?id=211956"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41008"}, {"source": "cve@mitre.org", "url": "https://issues.rpath.com/browse/RPL-2326"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}