Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-392a-57u1-mqcx

Summary lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit.

Aliases

alias	CVE-2019-11072

Fixed_packages

url	pkg:deb/debian/lighttpd@1.4.53-4?distro=trixie
purl	pkg:deb/debian/lighttpd@1.4.53-4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.53-4%3Fdistro=trixie

url pkg:deb/debian/lighttpd@1.4.53-4%2Bdeb10u2

purl pkg:deb/debian/lighttpd@1.4.53-4%2Bdeb10u2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8sn2-9v3z-5qd8

vulnerability	VCID-dj2j-yr1r-myej

vulnerability	VCID-ma83-g8ra-47bd

vulnerability	VCID-nabb-9r87-mbhw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.53-4%252Bdeb10u2

url	pkg:deb/debian/lighttpd@1.4.59-1%2Bdeb11u2?distro=trixie
purl	pkg:deb/debian/lighttpd@1.4.59-1%2Bdeb11u2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.59-1%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/lighttpd@1.4.69-1?distro=trixie
purl	pkg:deb/debian/lighttpd@1.4.69-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.69-1%3Fdistro=trixie

url	pkg:deb/debian/lighttpd@1.4.79-2?distro=trixie
purl	pkg:deb/debian/lighttpd@1.4.79-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.79-2%3Fdistro=trixie

url	pkg:deb/debian/lighttpd@1.4.82-2?distro=trixie
purl	pkg:deb/debian/lighttpd@1.4.82-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.82-2%3Fdistro=trixie

Affected_packages

url pkg:deb/debian/lighttpd@1.4.13-4

purl pkg:deb/debian/lighttpd@1.4.13-4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-17xt-wfmb-6ba3

vulnerability	VCID-2ym1-hzpb-67bp

vulnerability	VCID-392a-57u1-mqcx

vulnerability	VCID-3mv4-zscp-uke6

vulnerability	VCID-4252-bxgf-pqgq

vulnerability	VCID-483h-5atk-dfgs

vulnerability	VCID-4mqa-bkha-kbaj

vulnerability	VCID-7t19-jqkx-83du

vulnerability	VCID-8sn2-9v3z-5qd8

vulnerability	VCID-a11f-ydyr-6bcd

vulnerability	VCID-bzf1-xw3k-qud7

vulnerability	VCID-d983-1g2v-h7e9

vulnerability	VCID-dj2j-yr1r-myej

vulnerability	VCID-dnxd-x42g-2qcu

vulnerability	VCID-e1yx-dxa6-1bba

vulnerability	VCID-ebx8-yzbr-57ew

vulnerability	VCID-eetd-2zwu-fud5

vulnerability	VCID-ewrp-7up7-9qf3

vulnerability	VCID-gt7s-kr68-5fer

vulnerability	VCID-h1bj-mx6t-6kav

vulnerability	VCID-hc9c-1c4k-wqh1

vulnerability	VCID-j8ey-bqzd-hqce

vulnerability	VCID-jau7-gfz8-dkfa

vulnerability	VCID-ma83-g8ra-47bd

vulnerability	VCID-mmey-1ydv-nfha

vulnerability	VCID-muqu-fzs6-jqbd

vulnerability	VCID-nabb-9r87-mbhw

vulnerability	VCID-ntx6-vp4b-nbdk

vulnerability	VCID-r76c-k624-v7fe

vulnerability	VCID-rjf6-heyy-5kce

vulnerability	VCID-rjpt-cjmu-43fu

vulnerability	VCID-rz5g-r2e9-9kgw

vulnerability	VCID-uk6q-31q8-qqf9

vulnerability	VCID-wfbv-rpt2-9bcs

vulnerability	VCID-xap5-djda-2uem

vulnerability	VCID-xejg-te5s-wfax

vulnerability	VCID-z3wv-cgxn-cyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.13-4

url pkg:deb/debian/lighttpd@1.4.13-4etch12

purl pkg:deb/debian/lighttpd@1.4.13-4etch12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-17xt-wfmb-6ba3

vulnerability	VCID-2ym1-hzpb-67bp

vulnerability	VCID-392a-57u1-mqcx

vulnerability	VCID-3mv4-zscp-uke6

vulnerability	VCID-4252-bxgf-pqgq

vulnerability	VCID-483h-5atk-dfgs

vulnerability	VCID-4mqa-bkha-kbaj

vulnerability	VCID-7t19-jqkx-83du

vulnerability	VCID-8sn2-9v3z-5qd8

vulnerability	VCID-a11f-ydyr-6bcd

vulnerability	VCID-bzf1-xw3k-qud7

vulnerability	VCID-d983-1g2v-h7e9

vulnerability	VCID-dj2j-yr1r-myej

vulnerability	VCID-dnxd-x42g-2qcu

vulnerability	VCID-e1yx-dxa6-1bba

vulnerability	VCID-ebx8-yzbr-57ew

vulnerability	VCID-eetd-2zwu-fud5

vulnerability	VCID-ewrp-7up7-9qf3

vulnerability	VCID-gt7s-kr68-5fer

vulnerability	VCID-h1bj-mx6t-6kav

vulnerability	VCID-hc9c-1c4k-wqh1

vulnerability	VCID-j8ey-bqzd-hqce

vulnerability	VCID-jau7-gfz8-dkfa

vulnerability	VCID-ma83-g8ra-47bd

vulnerability	VCID-mmey-1ydv-nfha

vulnerability	VCID-muqu-fzs6-jqbd

vulnerability	VCID-nabb-9r87-mbhw

vulnerability	VCID-ntx6-vp4b-nbdk

vulnerability	VCID-r76c-k624-v7fe

vulnerability	VCID-rjf6-heyy-5kce

vulnerability	VCID-rjpt-cjmu-43fu

vulnerability	VCID-rz5g-r2e9-9kgw

vulnerability	VCID-uk6q-31q8-qqf9

vulnerability	VCID-wfbv-rpt2-9bcs

vulnerability	VCID-xap5-djda-2uem

vulnerability	VCID-xejg-te5s-wfax

vulnerability	VCID-z3wv-cgxn-cyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.13-4etch12

url pkg:deb/debian/lighttpd@1.4.19-5%2Blenny3

purl pkg:deb/debian/lighttpd@1.4.19-5%2Blenny3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-392a-57u1-mqcx

vulnerability	VCID-3mv4-zscp-uke6

vulnerability	VCID-4252-bxgf-pqgq

vulnerability	VCID-4mqa-bkha-kbaj

vulnerability	VCID-7t19-jqkx-83du

vulnerability	VCID-8sn2-9v3z-5qd8

vulnerability	VCID-dj2j-yr1r-myej

vulnerability	VCID-dnxd-x42g-2qcu

vulnerability	VCID-e1yx-dxa6-1bba

vulnerability	VCID-ebx8-yzbr-57ew

vulnerability	VCID-eetd-2zwu-fud5

vulnerability	VCID-ewrp-7up7-9qf3

vulnerability	VCID-gt7s-kr68-5fer

vulnerability	VCID-jau7-gfz8-dkfa

vulnerability	VCID-ma83-g8ra-47bd

vulnerability	VCID-muqu-fzs6-jqbd

vulnerability	VCID-nabb-9r87-mbhw

vulnerability	VCID-r76c-k624-v7fe

vulnerability	VCID-rz5g-r2e9-9kgw

vulnerability	VCID-uk6q-31q8-qqf9

vulnerability	VCID-wfbv-rpt2-9bcs

vulnerability	VCID-xap5-djda-2uem

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.19-5%252Blenny3

url pkg:deb/debian/lighttpd@1.4.28-2%2Bsqueeze1.6

purl pkg:deb/debian/lighttpd@1.4.28-2%2Bsqueeze1.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-392a-57u1-mqcx

vulnerability	VCID-3mv4-zscp-uke6

vulnerability	VCID-4mqa-bkha-kbaj

vulnerability	VCID-7t19-jqkx-83du

vulnerability	VCID-8sn2-9v3z-5qd8

vulnerability	VCID-dj2j-yr1r-myej

vulnerability	VCID-dnxd-x42g-2qcu

vulnerability	VCID-e1yx-dxa6-1bba

vulnerability	VCID-ebx8-yzbr-57ew

vulnerability	VCID-eetd-2zwu-fud5

vulnerability	VCID-ewrp-7up7-9qf3

vulnerability	VCID-gt7s-kr68-5fer

vulnerability	VCID-jau7-gfz8-dkfa

vulnerability	VCID-ma83-g8ra-47bd

vulnerability	VCID-muqu-fzs6-jqbd

vulnerability	VCID-nabb-9r87-mbhw

vulnerability	VCID-r76c-k624-v7fe

vulnerability	VCID-rz5g-r2e9-9kgw

vulnerability	VCID-uk6q-31q8-qqf9

vulnerability	VCID-wfbv-rpt2-9bcs

vulnerability	VCID-xap5-djda-2uem

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.28-2%252Bsqueeze1.6

url pkg:deb/debian/lighttpd@1.4.28-2%2Bsqueeze1.7

purl pkg:deb/debian/lighttpd@1.4.28-2%2Bsqueeze1.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-392a-57u1-mqcx

vulnerability	VCID-3mv4-zscp-uke6

vulnerability	VCID-4mqa-bkha-kbaj

vulnerability	VCID-7t19-jqkx-83du

vulnerability	VCID-8sn2-9v3z-5qd8

vulnerability	VCID-dj2j-yr1r-myej

vulnerability	VCID-dnxd-x42g-2qcu

vulnerability	VCID-e1yx-dxa6-1bba

vulnerability	VCID-ebx8-yzbr-57ew

vulnerability	VCID-eetd-2zwu-fud5

vulnerability	VCID-ewrp-7up7-9qf3

vulnerability	VCID-gt7s-kr68-5fer

vulnerability	VCID-jau7-gfz8-dkfa

vulnerability	VCID-ma83-g8ra-47bd

vulnerability	VCID-muqu-fzs6-jqbd

vulnerability	VCID-nabb-9r87-mbhw

vulnerability	VCID-r76c-k624-v7fe

vulnerability	VCID-rz5g-r2e9-9kgw

vulnerability	VCID-uk6q-31q8-qqf9

vulnerability	VCID-wfbv-rpt2-9bcs

vulnerability	VCID-xap5-djda-2uem

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.28-2%252Bsqueeze1.7

url pkg:deb/debian/lighttpd@1.4.31-4%2Bdeb7u4

purl pkg:deb/debian/lighttpd@1.4.31-4%2Bdeb7u4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-392a-57u1-mqcx

vulnerability	VCID-3mv4-zscp-uke6

vulnerability	VCID-7t19-jqkx-83du

vulnerability	VCID-8sn2-9v3z-5qd8

vulnerability	VCID-dj2j-yr1r-myej

vulnerability	VCID-ebx8-yzbr-57ew

vulnerability	VCID-ewrp-7up7-9qf3

vulnerability	VCID-gt7s-kr68-5fer

vulnerability	VCID-ma83-g8ra-47bd

vulnerability	VCID-nabb-9r87-mbhw

vulnerability	VCID-r76c-k624-v7fe

vulnerability	VCID-rz5g-r2e9-9kgw

vulnerability	VCID-uk6q-31q8-qqf9

vulnerability	VCID-wfbv-rpt2-9bcs

vulnerability	VCID-xap5-djda-2uem

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.31-4%252Bdeb7u4

url pkg:deb/debian/lighttpd@1.4.35-4

purl pkg:deb/debian/lighttpd@1.4.35-4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-392a-57u1-mqcx

vulnerability	VCID-3mv4-zscp-uke6

vulnerability	VCID-8sn2-9v3z-5qd8

vulnerability	VCID-dj2j-yr1r-myej

vulnerability	VCID-ma83-g8ra-47bd

vulnerability	VCID-nabb-9r87-mbhw

vulnerability	VCID-r76c-k624-v7fe

vulnerability	VCID-uk6q-31q8-qqf9

vulnerability	VCID-wfbv-rpt2-9bcs

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.35-4

url pkg:deb/debian/lighttpd@1.4.35-4%2Bdeb8u1

purl pkg:deb/debian/lighttpd@1.4.35-4%2Bdeb8u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-392a-57u1-mqcx

vulnerability	VCID-3mv4-zscp-uke6

vulnerability	VCID-8sn2-9v3z-5qd8

vulnerability	VCID-dj2j-yr1r-myej

vulnerability	VCID-ma83-g8ra-47bd

vulnerability	VCID-nabb-9r87-mbhw

vulnerability	VCID-r76c-k624-v7fe

vulnerability	VCID-uk6q-31q8-qqf9

vulnerability	VCID-wfbv-rpt2-9bcs

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.35-4%252Bdeb8u1

url pkg:deb/debian/lighttpd@1.4.45-1

purl pkg:deb/debian/lighttpd@1.4.45-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-392a-57u1-mqcx

vulnerability	VCID-8sn2-9v3z-5qd8

vulnerability	VCID-dj2j-yr1r-myej

vulnerability	VCID-ma83-g8ra-47bd

vulnerability	VCID-nabb-9r87-mbhw

vulnerability	VCID-uk6q-31q8-qqf9

vulnerability	VCID-wfbv-rpt2-9bcs

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lighttpd@1.4.45-1

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-11072

reference_id

reference_type

scores

value	0.12083
scoring_system	epss
scoring_elements	0.93813
published_at	2026-04-16T12:55:00Z

value	0.12083
scoring_system	epss
scoring_elements	0.93783
published_at	2026-04-08T12:55:00Z

value	0.12083
scoring_system	epss
scoring_elements	0.93786
published_at	2026-04-09T12:55:00Z

value	0.12083
scoring_system	epss
scoring_elements	0.9379
published_at	2026-04-11T12:55:00Z

value	0.12083
scoring_system	epss
scoring_elements	0.93791
published_at	2026-04-13T12:55:00Z

value	0.12083
scoring_system	epss
scoring_elements	0.93752
published_at	2026-04-01T12:55:00Z

value	0.12083
scoring_system	epss
scoring_elements	0.93761
published_at	2026-04-02T12:55:00Z

value	0.12083
scoring_system	epss
scoring_elements	0.93771
published_at	2026-04-04T12:55:00Z

value	0.12083
scoring_system	epss
scoring_elements	0.93774
published_at	2026-04-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-11072

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11072
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11072

reference_url

https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354

reference_id

reference_type

scores

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-11T20:27:33Z/

url

https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354

reference_url

https://redmine.lighttpd.net/issues/2945

reference_id

reference_type

scores

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-11T20:27:33Z/

url

https://redmine.lighttpd.net/issues/2945

reference_url

http://www.securityfocus.com/bid/107907

reference_id

reference_type

scores

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-11T20:27:33Z/

url

http://www.securityfocus.com/bid/107907

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926885
reference_id	926885
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926885

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:lighttpd:lighttpd::::::::
reference_id	cpe:2.3:a:lighttpd:lighttpd::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:lighttpd:lighttpd::::::::

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-11072

reference_id

CVE-2019-11072

reference_type

scores

value	7.5
scoring_system	cvssv2
scoring_elements	AV:N/AC:L/Au:N/C:P/I:P/A:P

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://nvd.nist.gov/vuln/detail/CVE-2019-11072

Weaknesses

cwe_id	190
name	Integer Overflow or Wraparound
description	The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Exploits

Severity_range_score 7.5 - 9.8

Exploitability 0.5

Weighted_severity 8.8

Risk_score 4.4

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-392a-57u1-mqcx

Vulnerability Instance