CVE-2013-1427
lighttpd - fixed socket name in world-writable directory
EPSS 0.04%
Description
The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition.
How to fix CVE-2013-1427
To remediate CVE-2013-1427, upgrade the affected package to a fixed version below.
- Debian/lighttpd—upgrade to 1.4.31-4 or later
- —upgrade to 1.4.28-2+squeeze1.3 or later
Is CVE-2013-1427 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.4.31-4
- from 0, < 1.4.28-2+squeeze1.3