CVE-2008-1111 - OpenCVE

mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lighttpd	Lighttpd

Configuration 1 [-]

cpe:2.3:a:lighttpd:lighttpd:1.4.18:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html
http://secunia.com/advisories/29209
http://secunia.com/advisories/29235
http://secunia.com/advisories/29268
http://secunia.com/advisories/29275
http://secunia.com/advisories/29318
http://secunia.com/advisories/29622
http://security.gentoo.org/glsa/glsa-200803-10.xml
http://trac.lighttpd.net/trac/changeset/2107
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106
http://www.debian.org/security/2008/dsa-1513
http://www.securityfocus.com/archive/1/489465/100/0/threaded
http://www.securityfocus.com/bid/28100
http://www.vupen.com/english/advisories/2008/0763
https://bugs.gentoo.org/show_bug.cgi?id=211956
https://exchange.xforce.ibmcloud.com/vulnerabilities/41008
https://issues.rpath.com/browse/RPL-2326
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-03-04T23:00:00

Updated: 2024-08-07T08:08:57.337Z

Reserved: 2008-03-02T00:00:00

Link: CVE-2008-1111

Vulnrichment

No data.

NVD

Status : Modified

Published: 2008-03-04T23:44:00.000

Modified: 2018-10-11T20:29:41.773

Link: CVE-2008-1111

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-03-02T00:00:00", "descriptions": [{"lang": "en", "value": "mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "29268", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29268"}, {"name": "29622", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29622"}, {"name": "ADV-2008-0763", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/0763"}, {"name": "29318", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29318"}, {"name": "SUSE-SR:2008:008", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"}, {"name": "29209", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29209"}, {"name": "DSA-1513", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2008/dsa-1513"}, {"name": "FEDORA-2008-2262", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"}, {"name": "28100", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/28100"}, {"name": "20080312 rPSA-2008-0106-1 lighttpd", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"}, {"name": "29275", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29275"}, {"name": "GLSA-200803-10", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"}, {"tags": ["x_refsource_MISC"], "url": "https://issues.rpath.com/browse/RPL-2326"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=211956"}, {"name": "FEDORA-2008-2278", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://trac.lighttpd.net/trac/changeset/2107"}, {"name": "29235", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29235"}, {"tags": ["x_refsource_MISC"], "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"}, {"name": "lighttpd-modcgi-information-disclosure(41008)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41008"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-1111", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "29268", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29268"}, {"name": "29622", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29622"}, {"name": "ADV-2008-0763", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/0763"}, {"name": "29318", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29318"}, {"name": "SUSE-SR:2008:008", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"}, {"name": "29209", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29209"}, {"name": "DSA-1513", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2008/dsa-1513"}, {"name": "FEDORA-2008-2262", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"}, {"name": "28100", "refsource": "BID", "url": "http://www.securityfocus.com/bid/28100"}, {"name": "20080312 rPSA-2008-0106-1 lighttpd", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"}, {"name": "29275", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29275"}, {"name": "GLSA-200803-10", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"}, {"name": "https://issues.rpath.com/browse/RPL-2326", "refsource": "MISC", "url": "https://issues.rpath.com/browse/RPL-2326"}, {"name": "https://bugs.gentoo.org/show_bug.cgi?id=211956", "refsource": "CONFIRM", "url": "https://bugs.gentoo.org/show_bug.cgi?id=211956"}, {"name": "FEDORA-2008-2278", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"}, {"name": "http://trac.lighttpd.net/trac/changeset/2107", "refsource": "CONFIRM", "url": "http://trac.lighttpd.net/trac/changeset/2107"}, {"name": "29235", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29235"}, {"name": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106", "refsource": "MISC", "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"}, {"name": "lighttpd-modcgi-information-disclosure(41008)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41008"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T08:08:57.337Z"}, "title": "CVE Program Container", "references": [{"name": "29268", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/29268"}, {"name": "29622", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/29622"}, {"name": "ADV-2008-0763", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/0763"}, {"name": "29318", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/29318"}, {"name": "SUSE-SR:2008:008", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"}, {"name": "29209", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/29209"}, {"name": "DSA-1513", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2008/dsa-1513"}, {"name": "FEDORA-2008-2262", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"}, {"name": "28100", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/28100"}, {"name": "20080312 rPSA-2008-0106-1 lighttpd", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"}, {"name": "29275", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/29275"}, {"name": "GLSA-200803-10", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://issues.rpath.com/browse/RPL-2326"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.gentoo.org/show_bug.cgi?id=211956"}, {"name": "FEDORA-2008-2278", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://trac.lighttpd.net/trac/changeset/2107"}, {"name": "29235", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/29235"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"}, {"name": "lighttpd-modcgi-information-disclosure(41008)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41008"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-1111", "datePublished": "2008-03-04T23:00:00", "dateReserved": "2008-03-02T00:00:00", "dateUpdated": "2024-08-07T08:08:57.337Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.18:*:*:*:*:*:*:*", "matchCriteriaId": "DA46E89A-565E-439D-BCB2-6CEE44EFDFAC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information."}, {"lang": "es", "value": "El mod_cgi en lighttpd versi\u00f3n 1.4.18, env\u00eda el c\u00f3digo fuente de los scripts CGI en lugar de un error 500 cuando ocurre un fallo de bifurcaci\u00f3n, lo que podr\u00eda permitir a los atacantes remotos obtener informaci\u00f3n confidencial."}], "id": "CVE-2008-1111", "lastModified": "2018-10-11T20:29:41.773", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-03-04T23:44:00.000", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29209"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29235"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29268"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29275"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29318"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29622"}, {"source": "cve@mitre.org", "url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"}, {"source": "cve@mitre.org", "url": "http://trac.lighttpd.net/trac/changeset/2107"}, {"source": "cve@mitre.org", "url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2008/dsa-1513"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/28100"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2008/0763"}, {"source": "cve@mitre.org", "url": "https://bugs.gentoo.org/show_bug.cgi?id=211956"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41008"}, {"source": "cve@mitre.org", "url": "https://issues.rpath.com/browse/RPL-2326"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}