{"id":"CVE-2018-19052","details":"An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.","modified":"2026-03-14T09:28:46.475188Z","published":"2018-11-07T05:29:00.343Z","related":["openSUSE-SU-2019:2347-1","openSUSE-SU-2024:10585-1"],"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00054.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00012.html"},{"type":"EVIDENCE","url":"https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lighttpd/lighttpd1.4","events":[{"introduced":"0"},{"fixed":"a2114a1c9b34a165cf69439e21a5d1429e252554"},{"fixed":"2105dae0f9d7a964375ce681e53cb165375f84c1"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.4.50"}]}}],"versions":["lighttpd-1.3.11","lighttpd-1.3.12","lighttpd-1.3.13","lighttpd-1.3.14","lighttpd-1.3.15","lighttpd-1.3.16","lighttpd-1.4.1","lighttpd-1.4.2","lighttpd-1.4.25","lighttpd-1.4.26","lighttpd-1.4.27","lighttpd-1.4.28","lighttpd-1.4.29","lighttpd-1.4.3","lighttpd-1.4.30","lighttpd-1.4.31","lighttpd-1.4.32","lighttpd-1.4.33","lighttpd-1.4.34","lighttpd-1.4.35","lighttpd-1.4.36","lighttpd-1.4.36--rc1","lighttpd-1.4.37","lighttpd-1.4.38","lighttpd-1.4.39","lighttpd-1.4.4","lighttpd-1.4.40","lighttpd-1.4.41","lighttpd-1.4.42","lighttpd-1.4.43","lighttpd-1.4.44","lighttpd-1.4.45","lighttpd-1.4.46","lighttpd-1.4.47","lighttpd-1.4.48","lighttpd-1.4.49","lighttpd-1.4.5","lighttpd-1.4.6","lighttpd-1.4.7"],"database_specific":{"vanir_signatures":[{"digest":{"length":1029,"function_hash":"149042138735570835025939466017948242542"},"source":"https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1","id":"CVE-2018-19052-1be13382","signature_type":"Function","signature_version":"v1","target":{"file":"src/mod_alias.c","function":"PHYSICALPATH_FUNC"},"deprecated":false},{"digest":{"threshold":0.9,"line_hashes":["303192333452448327106390395563064620760","80679466272643474847981161116281953383","208143731090529638039435268477316973998"]},"source":"https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1","id":"CVE-2018-19052-387c5170","signature_type":"Line","signature_version":"v1","target":{"file":"src/mod_alias.c"},"deprecated":false}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"15.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0-sp1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"11-sp3"}]},{"events":[{"introduced":"0"},{"last_affected":"11-sp4"}]},{"events":[{"introduced":"0"},{"last_affected":"12"}]},{"events":[{"introduced":"0"},{"last_affected":"12-sp1"}]},{"events":[{"introduced":"0"},{"last_affected":"12-sp2"}]},{"events":[{"introduced":"0"},{"last_affected":"12-sp3"}]},{"events":[{"introduced":"0"},{"last_affected":"12-sp4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19052.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}