An issue was discovered in modaliasphysicalhandler in modalias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
],
"vendor_product": "debian:debian_linux",
"extracted_events": [
{
"introduced": "9.0"
},
{
"last_affected": "9.0"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*",
"cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*"
],
"vendor_product": "opensuse:backports_sle",
"extracted_events": [
{
"introduced": "15.0-NA"
},
{
"last_affected": "15.0-NA"
},
{
"introduced": "15.0-sp1"
},
{
"last_affected": "15.0-sp1"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"
],
"vendor_product": "opensuse:leap",
"extracted_events": [
{
"introduced": "15.0"
},
{
"last_affected": "15.0"
},
{
"introduced": "15.1"
},
{
"last_affected": "15.1"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp3:*:*:*:*:*:*",
"cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp4:*:*:*:*:*:*",
"cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*",
"cpe:2.3:o:suse:suse_linux_enterprise_server:12:sp1:*:*:*:*:*:*",
"cpe:2.3:o:suse:suse_linux_enterprise_server:12:sp2:*:*:*:*:*:*",
"cpe:2.3:o:suse:suse_linux_enterprise_server:12:sp3:*:*:*:*:*:*",
"cpe:2.3:o:suse:suse_linux_enterprise_server:12:sp4:*:*:*:*:*:*"
],
"vendor_product": "suse:suse_linux_enterprise_server",
"extracted_events": [
{
"introduced": "11-sp3"
},
{
"last_affected": "11-sp3"
},
{
"introduced": "11-sp4"
},
{
"last_affected": "11-sp4"
},
{
"introduced": "12"
},
{
"last_affected": "12"
},
{
"introduced": "12-sp1"
},
{
"last_affected": "12-sp1"
},
{
"introduced": "12-sp2"
},
{
"last_affected": "12-sp2"
},
{
"introduced": "12-sp3"
},
{
"last_affected": "12-sp3"
},
{
"introduced": "12-sp4"
},
{
"last_affected": "12-sp4"
}
],
"source": "CPE_STRING"
}
]
}{
"cpe": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.4.50"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}"2026-07-09T00:59:11Z"
[
{
"digest": {
"function_hash": "149042138735570835025939466017948242542",
"length": 1029.0
},
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "src/mod_alias.c",
"function": "PHYSICALPATH_FUNC"
},
"deprecated": false,
"id": "CVE-2018-19052-1be13382",
"source": "https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"303192333452448327106390395563064620760",
"80679466272643474847981161116281953383",
"208143731090529638039435268477316973998"
]
},
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "src/mod_alias.c"
},
"deprecated": false,
"id": "CVE-2018-19052-387c5170",
"source": "https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1"
}
]
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-19052.json"