All the vulnerabilites related to lighttpd - lighttpd
Vulnerability from fkie_nvd
Published
2013-11-08 04:47
Modified
2024-11-21 01:55
Severity ?
Summary
lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | * | |
| debian | debian_linux | 6.0 | |
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 | |
| opensuse | opensuse | 12.2 | |
| opensuse | opensuse | 12.3 | |
| opensuse | opensuse | 13.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7EFAC0AA-4A42-4ED3-A362-D3A931B995FE",
"versionEndIncluding": "1.4.33",
"versionStartIncluding": "1.4.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D806A17E-B8F9-466D-807D-3F1E77603DC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network."
},
{
"lang": "es",
"value": "lighttpd anteriores a 1.4.34, cuando SNI esta habilitado, configura cifrados SSL d\u00e9biles, lo que hace m\u00e1s f\u00e1cil para un atacante remoto secuestrar sesiones insertando paquetes en el flujo de datos cliente-servidor u obtener informaci\u00f3n sensible capturando la red."
}
],
"id": "CVE-2013-4508",
"lastModified": "2024-11-21T01:55:42.283",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2013-11-08T04:47:22.900",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2013/11/04/19"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://redmine.lighttpd.net/issues/2525"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913/diff/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2013/dsa-2795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2013/11/04/19"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://redmine.lighttpd.net/issues/2525"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913/diff/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2013/dsa-2795"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-326"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-24 00:30
Modified
2024-11-21 00:34
Severity ?
Summary
mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "280F8BA1-34E8-4A93-871C-49E6F6826F2C",
"versionEndIncluding": "1.4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header."
},
{
"lang": "es",
"value": "mod_auth (http_auth.c) en lighttpd anterior a 1.4.16 permite a atacantes remotos provocar denegaci\u00f3n de servicio (caida de demonio) a trav\u00e9s de vectores no especificados afectando a (1)una debilidad de memoria, (2)utilizaci\u00f3n de md5-sess sin un cnonce, (3) cadenas c\u00f3dificadas en base64, y (4) restos de espacios en blanco en la cabecera Auth-Digest."
}
],
"id": "CVE-2007-3946",
"lastModified": "2024-11-21T00:34:26.020",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-24T00:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/38314"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/38315"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/38316"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/38317"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://secunia.com/advisories/26130"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26158"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26505"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26593"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/browser/branches/lighttpd-1.4.x/NEWS?rev=1875"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/changeset/1875"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"source": "cve@mitre.org",
"url": "https://issues.rpath.com/browse/RPL-1550"
},
{
"source": "cve@mitre.org",
"url": "https://issues.rpath.com/browse/RPL-1554"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/38314"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/38315"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/38316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/38317"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://secunia.com/advisories/26130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26158"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26593"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/browser/branches/lighttpd-1.4.x/NEWS?rev=1875"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/changeset/1875"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.rpath.com/browse/RPL-1550"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.rpath.com/browse/RPL-1554"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-10-03 17:41
Modified
2024-11-21 00:51
Severity ?
Summary
mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | * | |
| debian | debian_linux | 4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26A3F66A-350C-4592-9E11-855B5DFAE013",
"versionEndExcluding": "1.4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F92AB32-E7DE-43F4-B877-1F41FA162EC7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files."
},
{
"lang": "es",
"value": "mod_userdir de lighttpd versiones anteriores a v1.4.20, cuando un sistema operativo insensible a may\u00fasculas o min\u00fasculas o sistemas de ficheros son utilizados, realiza comparaciones entre may\u00fasculas y min\u00fasculas en componentes de nombres de ficheros en las opciones de configuraci\u00f3n, lo cual puede permitir a atacantes remotos evitar restricciones de acceso intencionadas, como lo demostrado por un fichero .PHP cuando hay una regla de configuraci\u00f3n de ficheros .php."
}
],
"id": "CVE-2008-4360",
"lastModified": "2024-11-21T00:51:29.737",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-10-03T17:41:40.447",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32069"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32132"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32480"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32834"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32972"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2283"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2308"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/ticket/1589"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/31600"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45689"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32069"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32132"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32480"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32834"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32972"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2283"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2308"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/ticket/1589"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/31600"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45689"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-03-27 23:44
Modified
2024-11-21 00:44
Severity ?
Summary
The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78C95091-A48E-4C17-BB2C-ED771DDDF6D4",
"versionEndIncluding": "1.4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0DD96A7-552B-4DC0-BFF5-63022F0A771B",
"versionEndExcluding": "1.5.0",
"versionStartIncluding": "1.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F92AB32-E7DE-43F4-B877-1F41FA162EC7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost."
},
{
"lang": "es",
"value": "La funci\u00f3n connection_state_machine (connections.c) en lighttpd versi\u00f3n 1.4.19 y anteriores, y versi\u00f3n 1.5.x anterior a 1.5.0, permite a los atacantes remotos generar una denegaci\u00f3n de servicio (p\u00e9rdida de conexi\u00f3n SSL activa) al activar un error SSL, como desconectarse antes que una descarga ha finalizado, lo que hace que todas las conexiones SSL activas se pierdan."
}
],
"id": "CVE-2008-1531",
"lastModified": "2024-11-21T00:44:44.870",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-03-27T23:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/29505"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/29544"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/29636"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/29649"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/30023"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200804-08.xml"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2136"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2139"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2140"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/ticket/285#comment:18"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/ticket/285#comment:21"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0132"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2008/dsa-1540"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.osvdb.org/43788"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/490323/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/28489"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/1063/references"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=214892"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41545"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://issues.rpath.com/browse/RPL-2407"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00562.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00587.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/29505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/29544"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/29636"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/29649"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/30023"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200804-08.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2136"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2139"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2140"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/ticket/285#comment:18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/ticket/285#comment:21"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0132"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2008/dsa-1540"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.osvdb.org/43788"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/490323/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/28489"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/1063/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=214892"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41545"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://issues.rpath.com/browse/RPL-2407"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00562.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00587.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-02-18 02:02
Modified
2024-11-21 00:07
Severity ?
Summary
LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected capitalization, as demonstrated by a request for index.PHP when the configuration invokes the PHP interpreter only for ".php" names.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "73DE19FF-DAA2-4FFC-9392-6CE1B0B5DF5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "57FABC2C-E678-45E8-9FB3-3026D55D26F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB0332C2-9720-4329-A379-5B7048034B3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2549EBF-E4B6-4574-BCD8-9DB5F195C9AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B29F5471-E2A9-421D-A1B5-F0B1444CA9AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F44FDF24-03A1-43F3-9D9E-F744F0A1AC3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A4B990A8-B28C-4A4C-89AB-50C754EF6491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "55C0A9A3-E628-4AA8-8676-81A8528CC174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8119BEB6-5CBC-4279-9BDE-53ADF1A55F44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "211959AC-B76B-4E87-8A08-7789B47F823E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B10DF110-D68E-448F-8BEE-39E0B569596D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "1A4B7EDE-CA57-4FB2-8306-924FC8BD9C7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E9A2745B-661B-489A-9140-FD63F668161A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "769931EC-F36A-4F72-A836-85B65CA815C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D4FE8C27-6822-4AA2-AB80-D29871C74DC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6FB702A9-C175-477C-B4C7-30AF7DB26165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08784A81-A00C-4FBD-9A79-35D139FA3079",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "957A7575-FCAB-4C6B-93C8-C9065B412D8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1BE481AA-EF32-47AD-846A-FEDE38637680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FFC56FD6-481A-4D60-BAF3-C988AA2395D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "5C691300-EA97-4F67-9C27-3C44FE22E283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D09EDA-6E8F-4535-98ED-D972940E2E54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E384FD34-327C-40E7-9043-67BC69E6A52B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B922D725-F31A-453B-B396-6C7FE0D4844B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EB61C0DE-BAEB-4D65-91EA-D34BA0BEFC49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C395148E-BF0E-4C27-B903-444238736B1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0C001488-5A41-45F8-A270-C184728C1614",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AAA6EA41-CE55-4854-A5FA-4A49D1A648BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D7FE9EF8-936E-4351-B512-02B181C4DF5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.8:*:*:*:*:*:*:*",
"matchCriteriaId": "16152422-AE34-4970-95B5-440CE8821A05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D34AB8-5DDD-421F-9C9D-65B6B10EDC7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "53143B04-BB2D-4C40-83B1-8BF8BC6547E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "589775AF-21DF-4E41-BFE6-41E4FAAB0F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "E35D1709-6B2C-4F22-9948-F69F88F9156A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B4949447-0590-4F76-A00E-1EB94FB7621F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF5B9E9-8BB5-42A6-AF87-5CEE31D2EDC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "518A4727-ECB7-41C4-8DF5-5375BA5281C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "17207B51-0E7F-4AD2-8AC4-5A5CDC5CDEE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "45FC99E1-57D4-4B12-BA26-090142B7CBC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21E0FB64-62A3-4875-AFF1-CF4D1E7BA0D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "068AD0FA-306D-4C29-857C-21C6067287E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1125A525-36BA-43E1-A316-6BB33DCEC672",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A7E488CF-A3F1-4C8B-A92A-8764FA1E6032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A5DEAF46-95C2-4187-AF5A-FB8CB2E6FD04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "24C0ECA9-5A9F-47CA-B8CA-28C7324EC722",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F8F89B-5A10-4EE3-A035-1CEA44B1691A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F89FCD49-0C73-4E73-9D99-38700B622A06",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected capitalization, as demonstrated by a request for index.PHP when the configuration invokes the PHP interpreter only for \".php\" names."
}
],
"id": "CVE-2006-0760",
"lastModified": "2024-11-21T00:07:16.587",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-02-18T02:02:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lighttpd.net/news/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/18869"
},
{
"source": "cve@mitre.org",
"url": "http://www.lighttpd.net/news/"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/23229"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2006/0550"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24699"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lighttpd.net/news/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/18869"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.lighttpd.net/news/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/23229"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2006/0550"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24699"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-24 00:30
Modified
2024-11-21 00:34
Severity ?
Summary
connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "280F8BA1-34E8-4A93-871C-49E6F6826F2C",
"versionEndIncluding": "1.4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts."
},
{
"lang": "es",
"value": "connections.c en lighttpd anterior 1.4.16 podr\u00eda aceptar mas conexiones que el m\u00e1ximo configurado, lo cual permite a atacantes remotos provocar denegaci\u00f3n de servicio (fallo de afirmaci\u00f3n) a trav\u00e9s de un gran n\u00famero de intentos de conexi\u00f3n."
}
],
"evaluatorSolution": "The vendor has released an upgrade which solves the vulnerability: http://trac.lighttpd.net/trac/",
"id": "CVE-2007-3948",
"lastModified": "2024-11-21T00:34:26.333",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-24T00:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/38312"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26130"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26158"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26505"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/31104"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/changeset/1873"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/ticket/1216"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2008/dsa-1609"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/38312"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26158"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/changeset/1873"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/ticket/1216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/2585"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-04-18 03:19
Modified
2024-11-21 00:29
Severity ?
Summary
lighttpd 1.4.12 and 1.4.13 allows remote attackers to cause a denial of service (cpu and resource consumption) by disconnecting while lighttpd is parsing CRLF sequences, which triggers an infinite loop and file descriptor consumption.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "D5549E74-A7A7-4D99-B08B-C6ACFB3917FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "72ABD4D8-8AD9-45E5-8FF5-FA947AC07F49",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lighttpd 1.4.12 and 1.4.13 allows remote attackers to cause a denial of service (cpu and resource consumption) by disconnecting while lighttpd is parsing CRLF sequences, which triggers an infinite loop and file descriptor consumption."
},
{
"lang": "es",
"value": "lighttpd 1.4.12 y 1.4.13 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de recursos y cpu) desconectando cuando lighttpd est\u00e1 analizando secuencias CRLF, lo cual provoca un bucle infinito y el consumo de descriptor de fichero."
}
],
"id": "CVE-2007-1869",
"lastModified": "2024-11-21T00:29:21.017",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-04-18T03:19:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/24886"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/24947"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/24995"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/25166"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/25613"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200705-07.xml"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2007/dsa-1303"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_01.txt"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/2007_007_suse.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/466464/30/6900/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/23515"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2007/1399"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33671"
},
{
"source": "cve@mitre.org",
"url": "https://issues.rpath.com/browse/RPL-1218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/24886"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/24947"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/24995"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/25166"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/25613"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200705-07.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2007/dsa-1303"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_01.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/2007_007_suse.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/466464/30/6900/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/23515"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/1399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33671"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.rpath.com/browse/RPL-1218"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-12-24 19:55
Modified
2024-11-21 01:32
Severity ?
Summary
Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | * | |
| lighttpd | lighttpd | 1.5.0 | |
| debian | debian_linux | 5.0 | |
| debian | debian_linux | 6.0 | |
| debian | debian_linux | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1F033C14-1A83-486C-AEFD-6C7A454A6988",
"versionEndExcluding": "1.4.30",
"versionStartIncluding": "1.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B2CB5DC6-F7D3-45C3-86FC-150216F08A35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8C757774-08E7-40AA-B532-6F705C8F7639",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index."
},
{
"lang": "es",
"value": "Error de signo de entero en la funci\u00f3n base64_decode en la funcionalidad de autenticaci\u00f3n HTTP (http_auth.c) en lighttpd v1.4 anterior a v1.4.30 y v1.5 antes de la revisi\u00f3n SVN 2806 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (fallo de segmentaci\u00f3n) a trav\u00e9s de una entrada elaborada en base64 provando una lectura \"fuera de los l\u00edmites\" (out-of-bounds)con un \u00edndice negativo."
}
],
"id": "CVE-2011-4362",
"lastModified": "2024-11-21T01:32:18.747",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-12-24T19:55:05.240",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0167.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://blog.pi3.com.pl/?p=277"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://redmine.lighttpd.net/issues/2370"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/47260"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2011/dsa-2368"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/18295"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2011/11/29/13"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2011/11/29/8"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id?1026359"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=758624"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71536"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0167.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://blog.pi3.com.pl/?p=277"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://redmine.lighttpd.net/issues/2370"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/47260"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2011/dsa-2368"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/18295"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2011/11/29/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2011/11/29/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id?1026359"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=758624"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71536"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-04-18 03:19
Modified
2024-11-21 00:29
Severity ?
Summary
lighttpd before 1.4.14 allows attackers to cause a denial of service (crash) via a request to a file whose mtime is 0, which results in a NULL pointer dereference.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | 1.3.0 | |
| lighttpd | lighttpd | 1.3.1 | |
| lighttpd | lighttpd | 1.3.2 | |
| lighttpd | lighttpd | 1.3.3 | |
| lighttpd | lighttpd | 1.3.4 | |
| lighttpd | lighttpd | 1.3.5 | |
| lighttpd | lighttpd | 1.3.6 | |
| lighttpd | lighttpd | 1.3.7 | |
| lighttpd | lighttpd | 1.3.8 | |
| lighttpd | lighttpd | 1.3.9 | |
| lighttpd | lighttpd | 1.3.10 | |
| lighttpd | lighttpd | 1.3.11 | |
| lighttpd | lighttpd | 1.3.12 | |
| lighttpd | lighttpd | 1.3.13 | |
| lighttpd | lighttpd | 1.3.14 | |
| lighttpd | lighttpd | 1.3.15 | |
| lighttpd | lighttpd | 1.3.16 | |
| lighttpd | lighttpd | 1.4.0 | |
| lighttpd | lighttpd | 1.4.1 | |
| lighttpd | lighttpd | 1.4.2 | |
| lighttpd | lighttpd | 1.4.3 | |
| lighttpd | lighttpd | 1.4.4 | |
| lighttpd | lighttpd | 1.4.5 | |
| lighttpd | lighttpd | 1.4.6 | |
| lighttpd | lighttpd | 1.4.7 | |
| lighttpd | lighttpd | 1.4.8 | |
| lighttpd | lighttpd | 1.4.9 | |
| lighttpd | lighttpd | 1.4.10 | |
| lighttpd | lighttpd | 1.4.12 | |
| lighttpd | lighttpd | 1.4.13 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D09EDA-6E8F-4535-98ED-D972940E2E54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E384FD34-327C-40E7-9043-67BC69E6A52B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B922D725-F31A-453B-B396-6C7FE0D4844B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EB61C0DE-BAEB-4D65-91EA-D34BA0BEFC49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C395148E-BF0E-4C27-B903-444238736B1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0C001488-5A41-45F8-A270-C184728C1614",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AAA6EA41-CE55-4854-A5FA-4A49D1A648BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D7FE9EF8-936E-4351-B512-02B181C4DF5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.8:*:*:*:*:*:*:*",
"matchCriteriaId": "16152422-AE34-4970-95B5-440CE8821A05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D34AB8-5DDD-421F-9C9D-65B6B10EDC7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "53143B04-BB2D-4C40-83B1-8BF8BC6547E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "589775AF-21DF-4E41-BFE6-41E4FAAB0F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "E35D1709-6B2C-4F22-9948-F69F88F9156A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B4949447-0590-4F76-A00E-1EB94FB7621F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF5B9E9-8BB5-42A6-AF87-5CEE31D2EDC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "518A4727-ECB7-41C4-8DF5-5375BA5281C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "17207B51-0E7F-4AD2-8AC4-5A5CDC5CDEE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "45FC99E1-57D4-4B12-BA26-090142B7CBC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21E0FB64-62A3-4875-AFF1-CF4D1E7BA0D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "068AD0FA-306D-4C29-857C-21C6067287E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1125A525-36BA-43E1-A316-6BB33DCEC672",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A7E488CF-A3F1-4C8B-A92A-8764FA1E6032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A5DEAF46-95C2-4187-AF5A-FB8CB2E6FD04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "24C0ECA9-5A9F-47CA-B8CA-28C7324EC722",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F8F89B-5A10-4EE3-A035-1CEA44B1691A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F89FCD49-0C73-4E73-9D99-38700B622A06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FFA9AF51-F423-4167-88AB-5BF916BCC273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A21B3F82-1C1D-46EE-92EF-46F7F590957E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "D5549E74-A7A7-4D99-B08B-C6ACFB3917FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "72ABD4D8-8AD9-45E5-8FF5-FA947AC07F49",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lighttpd before 1.4.14 allows attackers to cause a denial of service (crash) via a request to a file whose mtime is 0, which results in a NULL pointer dereference."
},
{
"lang": "es",
"value": "lighttpd anterior a 1.4.14 permite a atacantes provocar una denegaci\u00f3n de servicio (ca\u00edda) mediante una petici\u00f3n a un fichero cuyo mtime es 0, lo cual resulta en una referencia a puntero nulo."
}
],
"id": "CVE-2007-1870",
"lastModified": "2024-11-21T00:29:21.177",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-04-18T03:19:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/24886"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/24947"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/24995"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/25166"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/25613"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200705-07.xml"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2007/dsa-1303"
},
{
"source": "cve@mitre.org",
"url": "http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_02.txt"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/2007_007_suse.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/466464/30/6900/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/23515"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2007/1399"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33678"
},
{
"source": "cve@mitre.org",
"url": "https://issues.rpath.com/browse/RPL-1218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/24886"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/24947"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/24995"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/25166"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/25613"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200705-07.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2007/dsa-1303"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_02.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/2007_007_suse.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/466464/30/6900/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/23515"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/1399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33678"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.rpath.com/browse/RPL-1218"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-24 00:30
Modified
2024-11-21 00:34
Severity ?
Summary
mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "280F8BA1-34E8-4A93-871C-49E6F6826F2C",
"versionEndIncluding": "1.4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings."
},
{
"lang": "es",
"value": "mod_access.c en lighttpd 1.4.15 ignora los caracteres / barra invertida (slash) en la URL, lo cual permite a atacantes remotos evitar configuraciones de url.access-deny."
}
],
"evaluatorSolution": "Venbdor has released upgrade: http://trac.lighttpd.net/trac/",
"id": "CVE-2007-3949",
"lastModified": "2024-11-21T00:34:26.473",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 8.5,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-24T00:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/38311"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26130"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26158"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26505"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26593"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/changeset/1871"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/ticket/1230"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"source": "cve@mitre.org",
"url": "http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/38311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26158"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26593"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/changeset/1871"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/ticket/1230"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/2585"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 15:55
Modified
2024-11-21 02:06
Severity ?
Summary
Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | * | |
| debian | debian_linux | 6.0 | |
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 | |
| opensuse | opensuse | 11.4 | |
| opensuse | opensuse | 12.3 | |
| opensuse | opensuse | 13.1 | |
| suse | linux_enterprise_high_availability_extension | 11 | |
| suse | linux_enterprise_software_development_kit | 11 | |
| contec | sv-cpt-mc310_firmware | * | |
| contec | sv-cpt-mc310 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "073885C4-B20B-46CA-8187-D644E5A53877",
"versionEndExcluding": "1.4.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DE554781-1EB9-446E-911F-6C11970C47F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:linux_enterprise_high_availability_extension:11:sp3:*:*:*:*:*:*",
"matchCriteriaId": "A3A907A3-2A3A-46D4-8D75-914649877B65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp3:*:*:*:*:*:*",
"matchCriteriaId": "2F7F8866-DEAD-44D1-AB10-21EE611AA026",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:contec:sv-cpt-mc310_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F8EF2969-D593-4759-849A-FA0C3B0C7524",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:contec:sv-cpt-mc310:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F9FCCA5E-19F8-47D9-A6C6-77AF2AEFD51A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de salto de directorio en (1) mod_evhost y (2) mod_simple_vhost en lighttpd anterior a 1.4.35 permiten a atacantes remotos leer archivos arbitrarios a trav\u00e9s de un .. (punto punto) en el nombre de host, relacionado con request_check_hostname."
}
],
"id": "CVE-2014-2324",
"lastModified": "2024-11-21T02:06:04.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T15:55:05.760",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q1/561"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q1/564"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://secunia.com/advisories/57404"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://secunia.com/advisories/57514"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-2877"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/2014/3/12/1.4.35/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/66157"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q1/561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q1/564"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "http://secunia.com/advisories/57404"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "http://secunia.com/advisories/57514"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-2877"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/2014/3/12/1.4.35/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/66157"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-02-26 18:44
Modified
2024-11-21 00:43
Severity ?
Summary
lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | 1.4.7 | |
| lighttpd | lighttpd | 1.4.8 | |
| lighttpd | lighttpd | 1.4.9 | |
| lighttpd | lighttpd | 1.4.10 | |
| lighttpd | lighttpd | 1.4.11 | |
| lighttpd | lighttpd | 1.4.12 | |
| lighttpd | lighttpd | 1.4.13 | |
| lighttpd | lighttpd | 1.4.14 | |
| lighttpd | lighttpd | 1.4.15 | |
| lighttpd | lighttpd | 1.4.16 | |
| lighttpd | lighttpd | 1.4.17 | |
| lighttpd | lighttpd | 1.4.18 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F8F89B-5A10-4EE3-A035-1CEA44B1691A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F89FCD49-0C73-4E73-9D99-38700B622A06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FFA9AF51-F423-4167-88AB-5BF916BCC273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A21B3F82-1C1D-46EE-92EF-46F7F590957E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "482312DE-D483-42EC-B8B3-C71CE088C7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "D5549E74-A7A7-4D99-B08B-C6ACFB3917FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "72ABD4D8-8AD9-45E5-8FF5-FA947AC07F49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "0EC04CE1-4C31-42B7-A92D-38393F549014",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F79EED03-A95B-4636-A0AA-1F9E72DEF930",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "176D53A7-A81C-4C1F-A7B8-90604A9545F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.17:*:*:*:*:*:*:*",
"matchCriteriaId": "8372FF7B-CF9B-4963-AB53-704E87AF3540",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.18:*:*:*:*:*:*:*",
"matchCriteriaId": "DA46E89A-565E-439D-BCB2-6CEE44EFDFAC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access."
},
{
"lang": "es",
"value": "lighttpd 1.4.18 y posiblemente otras versiones anteriores a la 1.5.0, no calcula correctamente el tama\u00f1o del array descriptor de archivos, lo que permite a atacantes remotos provocar una denegaci\u00f3n de servicio (ca\u00edda) a trav\u00e9s de un gran n\u00famero de conexiones, lo cual dispara un acceso fuera de l\u00edmite."
}
],
"id": "CVE-2008-0983",
"lastModified": "2024-11-21T00:43:22.217",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-02-26T18:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29066"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29166"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29209"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29268"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29622"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/31104"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://trac.lighttpd.net/trac/ticket/1562"
},
{
"source": "cve@mitre.org",
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0084"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2008/dsa-1609"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/488926/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/27943"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/0659/references"
},
{
"source": "cve@mitre.org",
"url": "https://issues.rpath.com/browse/RPL-2284"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29066"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29166"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29209"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29268"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29622"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://trac.lighttpd.net/trac/ticket/1562"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/488926/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/27943"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0659/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.rpath.com/browse/RPL-2284"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-11-20 14:12
Modified
2024-11-21 01:55
Severity ?
Summary
Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | * | |
| debian | debian_linux | 6.0 | |
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 | |
| opensuse | opensuse | 12.2 | |
| opensuse | opensuse | 12.3 | |
| opensuse | opensuse | 13.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "855B05A3-31E9-4323-9BD0-CA7DF99FDD97",
"versionEndExcluding": "1.4.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D806A17E-B8F9-466D-807D-3F1E77603DC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures."
},
{
"lang": "es",
"value": "Vulnerabilidad de uso despu\u00e9s de liberaci\u00f3n en lighttpd anterior a la versi\u00f3n 1.4.33 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (fallo de segmentaci\u00f3n y ca\u00edda) a trav\u00e9s de vectores que desencadenen fallos FAMMonitorDirectory."
}
],
"id": "CVE-2013-4560",
"lastModified": "2024-11-21T01:55:49.940",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-11-20T14:12:30.727",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/55682"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/11/12/4"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2013/dsa-2795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/55682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/11/12/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2013/dsa-2795"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-03-10 21:44
Modified
2024-11-21 00:44
Severity ?
Summary
mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "393AADC9-347D-46AB-AD28-BE297CC4691F",
"versionEndIncluding": "1.4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory."
},
{
"lang": "es",
"value": "mod_userdir en lighttpd 1.4.18 y anteriores, cuando no est\u00e1 establecido el userdir.path usa un $HOME por defecto, que podr\u00eda permitir a atacantes remotos leer ficheros de su elecci\u00f3n como se ha demostrado accediendo al directorio ~nobody."
}
],
"id": "CVE-2008-1270",
"lastModified": "2024-11-21T00:44:07.940",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-03-10T21:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29318"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29403"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29622"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29636"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200804-08.xml"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/ticket/1587"
},
{
"source": "cve@mitre.org",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2008/dsa-1521"
},
{
"source": "cve@mitre.org",
"url": "http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany"
},
{
"source": "cve@mitre.org",
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_03.txt"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/28226"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/0885/references"
},
{
"source": "cve@mitre.org",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=212930"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41173"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://issues.rpath.com/browse/RPL-2344"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29318"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29403"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29622"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29636"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200804-08.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/ticket/1587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1521"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_03.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/28226"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0885/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=212930"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41173"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://issues.rpath.com/browse/RPL-2344"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-12 15:15
Modified
2024-11-21 07:15
Severity ?
Summary
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://redmine.lighttpd.net/issues/3165 | Exploit, Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://security.gentoo.org/glsa/202210-12 | Third Party Advisory | |
| cve@mitre.org | https://www.debian.org/security/2022/dsa-5243 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://redmine.lighttpd.net/issues/3165 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202210-12 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2022/dsa-5243 | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | 1.4.65 | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.65:*:*:*:*:*:*:*",
"matchCriteriaId": "723D083B-5909-420E-8618-9487635CECD3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition."
},
{
"lang": "es",
"value": "En lighttpd 1.4.65, la funci\u00f3n mod_wstunnel no inicializa un puntero de funci\u00f3n de manejador si es recibida una petici\u00f3n HTTP no v\u00e1lida (websocket handshake). Esto conlleva a una desreferencia de puntero null que hace que el servidor sea bloqueado. Podr\u00eda ser usado por un atacante externo para causar una condici\u00f3n de denegaci\u00f3n de servicio"
}
],
"id": "CVE-2022-37797",
"lastModified": "2024-11-21T07:15:11.137",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-12T15:15:08.170",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://redmine.lighttpd.net/issues/3165"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202210-12"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5243"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://redmine.lighttpd.net/issues/3165"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202210-12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5243"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-11-20 14:12
Modified
2024-11-21 01:55
Severity ?
Summary
lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | * | |
| debian | debian_linux | 6.0 | |
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 | |
| opensuse | opensuse | 12.2 | |
| opensuse | opensuse | 12.3 | |
| opensuse | opensuse | 13.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "855B05A3-31E9-4323-9BD0-CA7DF99FDD97",
"versionEndExcluding": "1.4.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D806A17E-B8F9-466D-807D-3F1E77603DC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached."
},
{
"lang": "es",
"value": "lighttpd anterior a la versi\u00f3n 1.4.33 no comprueba el valor de vuelta de (1) setuid, (2) setgid, o (3) setgroups, lo que podr\u00eda causar que lighttpd se ejecute bajo administrador si es reiniciado y permitir a atacantes remotos obtener privilegios, tal y como se demostr\u00f3 con m\u00faltiples llamadas a la funci\u00f3n de clonado que provoc\u00f3 que setuid fallara cuando el l\u00edmite de proceso de usuario era alcanzado."
}
],
"id": "CVE-2013-4559",
"lastModified": "2024-11-21T01:55:49.813",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.6,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-11-20T14:12:30.727",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/55682"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/11/12/4"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10310"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2013/dsa-2795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/55682"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/11/12/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10310"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2013/dsa-2795"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-03-21 17:55
Modified
2024-11-21 01:49
Severity ?
Summary
The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | * | |
| lighttpd | lighttpd | 1.3.16 | |
| lighttpd | lighttpd | 1.4.3 | |
| lighttpd | lighttpd | 1.4.4 | |
| lighttpd | lighttpd | 1.4.5 | |
| lighttpd | lighttpd | 1.4.6 | |
| lighttpd | lighttpd | 1.4.7 | |
| lighttpd | lighttpd | 1.4.8 | |
| lighttpd | lighttpd | 1.4.9 | |
| lighttpd | lighttpd | 1.4.10 | |
| lighttpd | lighttpd | 1.4.11 | |
| lighttpd | lighttpd | 1.4.12 | |
| lighttpd | lighttpd | 1.4.13 | |
| lighttpd | lighttpd | 1.4.15 | |
| lighttpd | lighttpd | 1.4.16 | |
| lighttpd | lighttpd | 1.4.18 | |
| lighttpd | lighttpd | 1.4.19 | |
| lighttpd | lighttpd | 1.4.20 | |
| lighttpd | lighttpd | 1.4.21 | |
| lighttpd | lighttpd | 1.4.22 | |
| lighttpd | lighttpd | 1.4.23 | |
| lighttpd | lighttpd | 1.4.24 | |
| lighttpd | lighttpd | 1.4.25 | |
| lighttpd | lighttpd | 1.4.26 | |
| debian | debian_linux | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CC94FF5-24DF-47F2-ACC7-99334A144D66",
"versionEndIncluding": "1.4.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "17207B51-0E7F-4AD2-8AC4-5A5CDC5CDEE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1125A525-36BA-43E1-A316-6BB33DCEC672",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A7E488CF-A3F1-4C8B-A92A-8764FA1E6032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A5DEAF46-95C2-4187-AF5A-FB8CB2E6FD04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "24C0ECA9-5A9F-47CA-B8CA-28C7324EC722",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F8F89B-5A10-4EE3-A035-1CEA44B1691A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F89FCD49-0C73-4E73-9D99-38700B622A06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FFA9AF51-F423-4167-88AB-5BF916BCC273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A21B3F82-1C1D-46EE-92EF-46F7F590957E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "482312DE-D483-42EC-B8B3-C71CE088C7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "D5549E74-A7A7-4D99-B08B-C6ACFB3917FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "72ABD4D8-8AD9-45E5-8FF5-FA947AC07F49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F79EED03-A95B-4636-A0AA-1F9E72DEF930",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "176D53A7-A81C-4C1F-A7B8-90604A9545F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.18:*:*:*:*:*:*:*",
"matchCriteriaId": "DA46E89A-565E-439D-BCB2-6CEE44EFDFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0A0C3E7A-1F5B-4926-A69F-0D4BB54E52D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.20:*:*:*:*:*:*:*",
"matchCriteriaId": "B33D950D-83A0-446E-A55D-D4DB42734B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.21:*:*:*:*:*:*:*",
"matchCriteriaId": "25A066E2-FE6B-40F9-A05C-BAF461A71409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.22:*:*:*:*:*:*:*",
"matchCriteriaId": "6FA07E2C-68C3-4B99-B497-F6D6207903B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.23:*:*:*:*:*:*:*",
"matchCriteriaId": "83918300-255F-4EC8-AA1A-FDC19FBB2D12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.24:*:*:*:*:*:*:*",
"matchCriteriaId": "28D22D2F-8487-4B8D-97DD-743114A37EAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.25:*:*:*:*:*:*:*",
"matchCriteriaId": "E366C275-E152-4191-A2C6-59619347FF52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.26:*:*:*:*:*:*:*",
"matchCriteriaId": "445292E8-A371-4301-9062-F0035F5E982F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C8919F1-CD33-437E-9627-69352B276BA3",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition."
},
{
"lang": "es",
"value": "El archivo de configuraci\u00f3n para el soporte FastCGI PHP en lighttpd en versiones anteriores a 1.4.28 en Debian GNU/Linux crea un archivo socket con un nombre predecible en /tmp, lo que permite a usuarios locales secuestrar el socket de control de PHP y llevar a cabo acciones no autorizadas como forzar el uso de una versi\u00f3n diferente de PHP a trav\u00e9s de un ataque de link simb\u00f3lico o una condici\u00f3n de carrera."
}
],
"id": "CVE-2013-1427",
"lastModified": "2024-11-21T01:49:33.640",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-03-21T17:55:03.117",
"references": [
{
"source": "security@debian.org",
"url": "http://osvdb.org/91462"
},
{
"source": "security@debian.org",
"url": "http://www.debian.org/security/2013/dsa-2649"
},
{
"source": "security@debian.org",
"url": "http://www.securityfocus.com/bid/58528"
},
{
"source": "security@debian.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82897"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/91462"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2013/dsa-2649"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/58528"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82897"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-02-16 05:00
Modified
2024-11-20 23:55
Severity ?
Summary
The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://article.gmane.org/gmane.comp.web.lighttpd/1171 | Patch, Vendor Advisory | |
| cve@mitre.org | http://secunia.com/advisories/14297 | Patch, Vendor Advisory | |
| cve@mitre.org | http://security.gentoo.org/glsa/glsa-200502-21.xml | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://article.gmane.org/gmane.comp.web.lighttpd/1171 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/14297 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://security.gentoo.org/glsa/glsa-200502-21.xml | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D7FE9EF8-936E-4351-B512-02B181C4DF5E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension."
}
],
"id": "CVE-2005-0453",
"lastModified": "2024-11-20T23:55:09.607",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-02-16T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://article.gmane.org/gmane.comp.web.lighttpd/1171"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/14297"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200502-21.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://article.gmane.org/gmane.comp.web.lighttpd/1171"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/14297"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200502-21.xml"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-06 06:15
Modified
2024-11-21 06:47
Severity ?
Summary
In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://redmine.lighttpd.net/issues/3134 | Exploit, Vendor Advisory | |
| cve@mitre.org | https://www.debian.org/security/2022/dsa-5040 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://redmine.lighttpd.net/issues/3134 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2022/dsa-5040 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | * | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "204D3986-08C3-45EB-BA51-2D115E73947E",
"versionEndIncluding": "1.4.63",
"versionStartIncluding": "1.4.46",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system."
},
{
"lang": "es",
"value": "En lighttpd versiones 1.4.46 hasta 1.4.63, la funci\u00f3n mod_extforward_Forwarded del plugin mod_extforward tiene un desbordamiento de b\u00fafer basado en la pila (4 bytes que representan -1), como lo demuestra la denegaci\u00f3n de servicio remota (ca\u00edda del demonio) en una configuraci\u00f3n no predeterminada. La configuraci\u00f3n no predeterminada requiere el manejo de la cabecera Forwarded de una manera algo inusual. Adem\u00e1s, es mucho m\u00e1s probable que un sistema de 32 bits se vea afectado que un sistema de 64 bits"
}
],
"id": "CVE-2022-22707",
"lastModified": "2024-11-21T06:47:17.437",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-06T06:15:07.243",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://redmine.lighttpd.net/issues/3134"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5040"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://redmine.lighttpd.net/issues/3134"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5040"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-06 18:17
Modified
2024-11-21 07:23
Severity ?
Summary
A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | * | |
| fedoraproject | fedora | 35 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83E35A87-CC2E-40B9-9365-7AF605F083C9",
"versionEndExcluding": "1.4.67",
"versionStartIncluding": "1.4.56",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67."
},
{
"lang": "es",
"value": "Un filtrado de recursos en el archivo gw_backend.c en lighttpd versiones 1.4.56 hasta 1.4.66, podr\u00eda conllevar a una denegaci\u00f3n de servicio (agotamiento de la ranura de conexi\u00f3n) despu\u00e9s de una gran cantidad de comportamiento TCP an\u00f3malo por parte de los clientes. Est\u00e1 relacionado con un manejo inapropiado de RDHUP en determinadas situaciones de HTTP/1.1 chunked. El uso de mod_fastcgi est\u00e1, por ejemplo, afectado. Esto ha sido corregido en versi\u00f3n 1.4.67"
}
],
"id": "CVE-2022-41556",
"lastModified": "2024-11-21T07:23:23.323",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-06T18:17:03.620",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/lighttpd/lighttpd1.4/compare/lighttpd-1.4.66...lighttpd-1.4.67"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/lighttpd/lighttpd1.4/pull/115"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202210-12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/lighttpd/lighttpd1.4/compare/lighttpd-1.4.66...lighttpd-1.4.67"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/lighttpd/lighttpd1.4/pull/115"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202210-12"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-401"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-06-09 14:59
Modified
2024-11-21 02:28
Severity ?
Summary
mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "65585561-5F39-42B5-B41F-F805C23945AD",
"versionEndIncluding": "1.4.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hp:virtual_customer_access_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7C2DBCE5-308D-4432-96F5-5444B265AB27",
"versionEndIncluding": "15.07",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*",
"matchCriteriaId": "79A602C5-61FE-47BA-9786-F045B6C6DBA8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character."
},
{
"lang": "es",
"value": "mod_auth en lighttpd anterior a 1.4.36 permite a atacantes remotos inyectar entradas de registro largas a trav\u00e9s de una cadena de la autenticaci\u00f3n HTTP b\u00e1sica sin un caracter de dos puntos, tal y como fue demostrado por una cadena que contiene un caracter nulo y de nueva l\u00ednea."
}
],
"id": "CVE-2015-3200",
"lastModified": "2024-11-21T02:28:53.540",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2015-06-09T14:59:01.147",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://jaanuskp.blogspot.com/2015/05/cve-2015-3200.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163223.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163286.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://redmine.lighttpd.net/issues/2646"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/74813"
},
{
"source": "secalert@redhat.com",
"tags": [
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1032405"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05247375"
},
{
"source": "secalert@redhat.com",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10310"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://jaanuskp.blogspot.com/2015/05/cve-2015-3200.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163223.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163286.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://redmine.lighttpd.net/issues/2646"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/74813"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1032405"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05247375"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10310"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-10 22:29
Modified
2024-11-21 04:20
Severity ?
Summary
lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/107907 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354 | Patch, Third Party Advisory | |
| cve@mitre.org | https://redmine.lighttpd.net/issues/2945 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/107907 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://redmine.lighttpd.net/issues/2945 | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8CDE5522-6BFF-4679-8289-6A43F9749818",
"versionEndIncluding": "1.4.53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states \"The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit."
},
{
"lang": "es",
"value": "** EN DISPUTA ** lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTA: El desarrollador afirma \"La caracter\u00edstica que puede ser abusada para causar el fallo es una nueva caracter\u00edstica en lighttpd 1.4.50, y no est\u00e1 habilitada por defecto. Debe estar configurado expl\u00edcitamente en el archivo de configuraci\u00f3n (por ejemplo, lighttpd.conf). Cierta entrada activar\u00e1 un abort() en lighttpd cuando esa caracter\u00edstica est\u00e9 activada. lighttpd detecta que el underflow o realloc() fallar\u00e1 (tanto en ejecutables de 32 bits como en ejecutables de 64 bits), tambi\u00e9n detectado en lighttpd. O bien desencadena un abort() expl\u00edcito por parte de lighttpd. Esto no es explotable m\u00e1s all\u00e1 de activar el abort() expl\u00edcito con la subsiguiente salida de la aplicaci\u00f3n\"."
}
],
"id": "CVE-2019-11072",
"lastModified": "2024-11-21T04:20:29.117",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-10T22:29:00.267",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107907"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://redmine.lighttpd.net/issues/2945"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107907"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://redmine.lighttpd.net/issues/2945"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-190"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-03-06 21:02
Modified
2024-11-21 00:07
Severity ?
Summary
response.c in Lighttpd 1.4.10 and possibly previous versions, when run on Windows, allows remote attackers to read arbitrary source code via requests that contain trailing (1) "." (dot) and (2) space characters, which are ignored by Windows, as demonstrated by PHP files.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "73DE19FF-DAA2-4FFC-9392-6CE1B0B5DF5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "57FABC2C-E678-45E8-9FB3-3026D55D26F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB0332C2-9720-4329-A379-5B7048034B3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2549EBF-E4B6-4574-BCD8-9DB5F195C9AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B29F5471-E2A9-421D-A1B5-F0B1444CA9AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F44FDF24-03A1-43F3-9D9E-F744F0A1AC3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A4B990A8-B28C-4A4C-89AB-50C754EF6491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "55C0A9A3-E628-4AA8-8676-81A8528CC174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8119BEB6-5CBC-4279-9BDE-53ADF1A55F44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "211959AC-B76B-4E87-8A08-7789B47F823E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B10DF110-D68E-448F-8BEE-39E0B569596D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "1A4B7EDE-CA57-4FB2-8306-924FC8BD9C7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E9A2745B-661B-489A-9140-FD63F668161A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "769931EC-F36A-4F72-A836-85B65CA815C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D4FE8C27-6822-4AA2-AB80-D29871C74DC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6FB702A9-C175-477C-B4C7-30AF7DB26165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08784A81-A00C-4FBD-9A79-35D139FA3079",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "957A7575-FCAB-4C6B-93C8-C9065B412D8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1BE481AA-EF32-47AD-846A-FEDE38637680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FFC56FD6-481A-4D60-BAF3-C988AA2395D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "5C691300-EA97-4F67-9C27-3C44FE22E283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D09EDA-6E8F-4535-98ED-D972940E2E54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E384FD34-327C-40E7-9043-67BC69E6A52B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B922D725-F31A-453B-B396-6C7FE0D4844B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EB61C0DE-BAEB-4D65-91EA-D34BA0BEFC49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C395148E-BF0E-4C27-B903-444238736B1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0C001488-5A41-45F8-A270-C184728C1614",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AAA6EA41-CE55-4854-A5FA-4A49D1A648BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D7FE9EF8-936E-4351-B512-02B181C4DF5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.8:*:*:*:*:*:*:*",
"matchCriteriaId": "16152422-AE34-4970-95B5-440CE8821A05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D34AB8-5DDD-421F-9C9D-65B6B10EDC7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "53143B04-BB2D-4C40-83B1-8BF8BC6547E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "589775AF-21DF-4E41-BFE6-41E4FAAB0F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "E35D1709-6B2C-4F22-9948-F69F88F9156A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B4949447-0590-4F76-A00E-1EB94FB7621F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF5B9E9-8BB5-42A6-AF87-5CEE31D2EDC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "518A4727-ECB7-41C4-8DF5-5375BA5281C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "17207B51-0E7F-4AD2-8AC4-5A5CDC5CDEE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "45FC99E1-57D4-4B12-BA26-090142B7CBC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21E0FB64-62A3-4875-AFF1-CF4D1E7BA0D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "068AD0FA-306D-4C29-857C-21C6067287E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1125A525-36BA-43E1-A316-6BB33DCEC672",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A7E488CF-A3F1-4C8B-A92A-8764FA1E6032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A5DEAF46-95C2-4187-AF5A-FB8CB2E6FD04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "24C0ECA9-5A9F-47CA-B8CA-28C7324EC722",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F8F89B-5A10-4EE3-A035-1CEA44B1691A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F89FCD49-0C73-4E73-9D99-38700B622A06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FFA9AF51-F423-4167-88AB-5BF916BCC273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A21B3F82-1C1D-46EE-92EF-46F7F590957E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "response.c in Lighttpd 1.4.10 and possibly previous versions, when run on Windows, allows remote attackers to read arbitrary source code via requests that contain trailing (1) \".\" (dot) and (2) space characters, which are ignored by Windows, as demonstrated by PHP files."
},
{
"lang": "es",
"value": "response.c en Lighttpd 1.4.10 y posiblemente versiones anteriores, cuando se ejecuta sobre Windows, permite a atacantes leer c\u00f3digo fuente de su elecci\u00f3n mediante peticiones conteniendo caract\u00e9res (1) \".\" (punto) y (2) espacio al final, que son ignoradas por Windows, como se ha demostrado en ficheros PHP."
}
],
"id": "CVE-2006-0814",
"lastModified": "2024-11-21T00:07:24.133",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-03-06T21:02:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/18886"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/secunia_research/2006-9/advisory/"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/523"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1015703"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/changeset/1005"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/23542"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/426446/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/16893"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2006/0782"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24976"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/18886"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/secunia_research/2006-9/advisory/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/523"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1015703"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/changeset/1005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/23542"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/426446/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/16893"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2006/0782"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24976"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-03-04 23:44
Modified
2024-11-21 00:43
Severity ?
Summary
mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.18:*:*:*:*:*:*:*",
"matchCriteriaId": "DA46E89A-565E-439D-BCB2-6CEE44EFDFAC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information."
},
{
"lang": "es",
"value": "El mod_cgi en lighttpd versi\u00f3n 1.4.18, env\u00eda el c\u00f3digo fuente de los scripts CGI en lugar de un error 500 cuando ocurre un fallo de bifurcaci\u00f3n, lo que podr\u00eda permitir a los atacantes remotos obtener informaci\u00f3n confidencial."
}
],
"id": "CVE-2008-1111",
"lastModified": "2024-11-21T00:43:42.230",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-03-04T23:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29209"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29235"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29268"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29275"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29318"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29622"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/changeset/2107"
},
{
"source": "cve@mitre.org",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2008/dsa-1513"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/28100"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/0763"
},
{
"source": "cve@mitre.org",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=211956"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41008"
},
{
"source": "cve@mitre.org",
"url": "https://issues.rpath.com/browse/RPL-2326"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29209"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29235"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29268"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29318"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29622"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/changeset/2107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1513"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/28100"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/0763"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=211956"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41008"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.rpath.com/browse/RPL-2326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-11-24 20:55
Modified
2024-11-21 01:44
Severity ?
Summary
The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.31:*:*:*:*:*:*:*",
"matchCriteriaId": "EEA16D25-3D16-435F-B704-50013009F0AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.32:*:*:*:*:*:*:*",
"matchCriteriaId": "68C9A1B6-B5B1-4208-9054-C24091D90B6F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the \"Connection: TE,,Keep-Alive\" header."
},
{
"lang": "es",
"value": "La funci\u00f3n http_request_split_value en request.c en lighttpd en versiones anteriores a 1.4.32 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (bucle infinito) a trav\u00e9s de una petici\u00f3n con una cabecera que contiene un token vac\u00edo, tal como se demuestra utilizando la cabecera \"Connection: TE,,Keep-Alive\"."
}
],
"evaluatorImpact": "Per: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt\r\n\r\n\" Affected versions\r\n-------------------\r\n\r\nOnly 1.4.31; on the other hand versions before 1.4.31 include the \"invalid read\" bug.\"",
"id": "CVE-2012-5533",
"lastModified": "2024-11-21T01:44:50.250",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-11-24T20:55:04.307",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00051.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/87623"
},
{
"source": "secalert@redhat.com",
"url": "http://packetstormsecurity.org/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51268"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51298"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/22902"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:100"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/11/21/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/56619"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id?1027802"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80213"
},
{
"source": "secalert@redhat.com",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00051.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/87623"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.org/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51268"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51298"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/22902"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:100"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/11/21/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/56619"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1027802"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80213"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-24 00:30
Modified
2024-11-21 00:34
Severity ?
Summary
lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "280F8BA1-34E8-4A93-871C-49E6F6826F2C",
"versionEndIncluding": "1.4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules."
},
{
"lang": "es",
"value": "lighttpd 1.4.15, cuando funciona bajo plataformas de 32 bits, permite a atacantes remotos provocar denegaci\u00f3n de servicio (caida de demonio) a trav\u00e9s de vectores no especificados afectando al uso de especificaciones de formatos incompatibles en ciertos mensajes de depuraci\u00f3n en los m\u00f3dulos (1) mod_scgi, (2) mod_fastcgi, y (3) mod_webdav."
}
],
"evaluatorSolution": "Vendor has released upgrade for vulnerability: http://trac.lighttpd.net/trac/",
"id": "CVE-2007-3950",
"lastModified": "2024-11-21T00:34:26.613",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-24T00:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26130"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26158"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26505"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26593"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/2909"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/changeset/1882"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/ticket/1263"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26158"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26593"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/2909"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/changeset/1882"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/ticket/1263"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/2585"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-10-03 17:41
Modified
2024-11-21 00:51
Severity ?
Summary
lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | * | |
| debian | debian_linux | 4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26A3F66A-350C-4592-9E11-855B5DFAE013",
"versionEndExcluding": "1.4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F92AB32-E7DE-43F4-B877-1F41FA162EC7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
},
{
"lang": "es",
"value": "lighttpd versiones anteriores a v1.4.20 compara URIs con patrones en los ajustes de configuraci\u00f3n (1) url.redirect y (2) url.rewrite antes de realizar la decodificaci\u00f3n de URL, lo cual puede permitir a atacantes remotos evitar restricciones de acceso intencionado, y obtener informaci\u00f3n sensible o posiblemente modificar datos."
}
],
"id": "CVE-2008-4359",
"lastModified": "2024-11-21T00:51:29.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-10-03T17:41:40.430",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32069"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32132"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32480"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32834"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32972"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2278"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2307"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2309"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2310"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/ticket/1720"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/31599"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45690"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32069"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32132"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32480"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32834"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/32972"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2278"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2307"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/changeset/2310"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://trac.lighttpd.net/trac/ticket/1720"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/31599"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45690"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-09-12 19:17
Modified
2024-11-21 00:36
Severity ?
Summary
Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18 allows remote attackers to overwrite arbitrary CGI variables and execute arbitrary code via an HTTP request with a long content length, as demonstrated by overwriting the SCRIPT_FILENAME variable, aka a "header overflow."
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "280F8BA1-34E8-4A93-871C-49E6F6826F2C",
"versionEndIncluding": "1.4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18 allows remote attackers to overwrite arbitrary CGI variables and execute arbitrary code via an HTTP request with a long content length, as demonstrated by overwriting the SCRIPT_FILENAME variable, aka a \"header overflow.\""
},
{
"lang": "es",
"value": "Desbordamiento de b\u00fafer en la funci\u00f3n fcgi_env_add de mod_proxy_backend_fastcgi.c en la extensi\u00f3n mod_fastcgi en lighttpd anterior a 1.4.18 permite a atacantes remotos sobrescribir variables CGI de su elecci\u00f3n y ejecutar c\u00f3digo de su elecci\u00f3n mediante una petici\u00f3n HTTP con una longitud de contenido larga, como se ha demostrado sobrescribiendo la variable SCRIPT_FILENAME, tambi\u00e9n conocido como \"desbordamiento de cabecera\"."
}
],
"id": "CVE-2007-4727",
"lastModified": "2024-11-21T00:36:18.677",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": true,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-09-12T19:17:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://fedoranews.org/updates/FEDORA-2007-213.shtml"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26732"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26794"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26824"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26997"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/27229"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/3127"
},
{
"source": "cve@mitre.org",
"url": "http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/changeset/1986"
},
{
"source": "cve@mitre.org",
"url": "http://www.gentoo.org/security/en/glsa/glsa-200709-16.xml"
},
{
"source": "cve@mitre.org",
"url": "http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/2007_20_sr.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/479763/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/25622"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2007/3110"
},
{
"source": "cve@mitre.org",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=284511"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36526"
},
{
"source": "cve@mitre.org",
"url": "https://issues.rpath.com/browse/RPL-1715"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://fedoranews.org/updates/FEDORA-2007-213.shtml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26794"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26824"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26997"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/27229"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/3127"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/changeset/1986"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.gentoo.org/security/en/glsa/glsa-200709-16.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/2007_20_sr.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/479763/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/25622"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/3110"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=284511"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36526"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.rpath.com/browse/RPL-1715"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-11 15:15
Modified
2024-11-21 07:03
Severity ?
Summary
Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/lighttpd/lighttpd1.4 | Product, Third Party Advisory | |
| cve@mitre.org | https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service | Exploit, Third Party Advisory | |
| cve@mitre.org | https://podalirius.net/en/cves/2022-30780/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://redmine.lighttpd.net/issues/3059 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/lighttpd/lighttpd1.4 | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://podalirius.net/en/cves/2022-30780/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://redmine.lighttpd.net/issues/3059 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.56:*:*:*:*:*:*:*",
"matchCriteriaId": "AE4AED56-A19F-4C09-9254-E0BCD86E3E61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.57:*:*:*:*:*:*:*",
"matchCriteriaId": "D135491A-A9FC-4CE9-983C-635086A35371",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.58:*:*:*:*:*:*:*",
"matchCriteriaId": "95D491AC-57C6-43E1-A3F0-1C932CBCE1EE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers."
},
{
"lang": "es",
"value": "Lighttpd versiones 1.4.56 hasta 1.4.58, permite a un atacante remoto causar una denegaci\u00f3n de servicio (consumo de CPU por conexiones atascadas) porque la funci\u00f3n connection_read_header_more en el archivo connections.c presenta una errata que interrumpe el uso de m\u00faltiples operaciones de lectura en encabezados grandes"
}
],
"id": "CVE-2022-30780",
"lastModified": "2024-11-21T07:03:21.907",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-11T15:15:08.807",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/lighttpd/lighttpd1.4"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://podalirius.net/en/cves/2022-30780/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://redmine.lighttpd.net/issues/3059"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/lighttpd/lighttpd1.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://podalirius.net/en/cves/2022-30780/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://redmine.lighttpd.net/issues/3059"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-682"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-02-03 19:30
Modified
2024-11-21 01:11
Severity ?
Summary
lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7197D869-E40E-42D0-B69E-535D2C7FC9F3",
"versionEndIncluding": "1.4.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "73DE19FF-DAA2-4FFC-9392-6CE1B0B5DF5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "57FABC2C-E678-45E8-9FB3-3026D55D26F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB0332C2-9720-4329-A379-5B7048034B3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2549EBF-E4B6-4574-BCD8-9DB5F195C9AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B29F5471-E2A9-421D-A1B5-F0B1444CA9AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F44FDF24-03A1-43F3-9D9E-F744F0A1AC3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A4B990A8-B28C-4A4C-89AB-50C754EF6491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "55C0A9A3-E628-4AA8-8676-81A8528CC174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8119BEB6-5CBC-4279-9BDE-53ADF1A55F44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "211959AC-B76B-4E87-8A08-7789B47F823E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B10DF110-D68E-448F-8BEE-39E0B569596D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "1A4B7EDE-CA57-4FB2-8306-924FC8BD9C7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E9A2745B-661B-489A-9140-FD63F668161A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "769931EC-F36A-4F72-A836-85B65CA815C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D4FE8C27-6822-4AA2-AB80-D29871C74DC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6FB702A9-C175-477C-B4C7-30AF7DB26165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "957A7575-FCAB-4C6B-93C8-C9065B412D8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1BE481AA-EF32-47AD-846A-FEDE38637680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FFC56FD6-481A-4D60-BAF3-C988AA2395D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "5C691300-EA97-4F67-9C27-3C44FE22E283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D09EDA-6E8F-4535-98ED-D972940E2E54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E384FD34-327C-40E7-9043-67BC69E6A52B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B922D725-F31A-453B-B396-6C7FE0D4844B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EB61C0DE-BAEB-4D65-91EA-D34BA0BEFC49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C395148E-BF0E-4C27-B903-444238736B1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0C001488-5A41-45F8-A270-C184728C1614",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AAA6EA41-CE55-4854-A5FA-4A49D1A648BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.8:*:*:*:*:*:*:*",
"matchCriteriaId": "16152422-AE34-4970-95B5-440CE8821A05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D34AB8-5DDD-421F-9C9D-65B6B10EDC7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "53143B04-BB2D-4C40-83B1-8BF8BC6547E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "589775AF-21DF-4E41-BFE6-41E4FAAB0F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "E35D1709-6B2C-4F22-9948-F69F88F9156A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B4949447-0590-4F76-A00E-1EB94FB7621F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF5B9E9-8BB5-42A6-AF87-5CEE31D2EDC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "518A4727-ECB7-41C4-8DF5-5375BA5281C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "17207B51-0E7F-4AD2-8AC4-5A5CDC5CDEE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "45FC99E1-57D4-4B12-BA26-090142B7CBC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "068AD0FA-306D-4C29-857C-21C6067287E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1125A525-36BA-43E1-A316-6BB33DCEC672",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A7E488CF-A3F1-4C8B-A92A-8764FA1E6032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A5DEAF46-95C2-4187-AF5A-FB8CB2E6FD04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "24C0ECA9-5A9F-47CA-B8CA-28C7324EC722",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F8F89B-5A10-4EE3-A035-1CEA44B1691A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F89FCD49-0C73-4E73-9D99-38700B622A06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FFA9AF51-F423-4167-88AB-5BF916BCC273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A21B3F82-1C1D-46EE-92EF-46F7F590957E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "482312DE-D483-42EC-B8B3-C71CE088C7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "D5549E74-A7A7-4D99-B08B-C6ACFB3917FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "72ABD4D8-8AD9-45E5-8FF5-FA947AC07F49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "0EC04CE1-4C31-42B7-A92D-38393F549014",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F79EED03-A95B-4636-A0AA-1F9E72DEF930",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "176D53A7-A81C-4C1F-A7B8-90604A9545F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.17:*:*:*:*:*:*:*",
"matchCriteriaId": "8372FF7B-CF9B-4963-AB53-704E87AF3540",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.18:*:*:*:*:*:*:*",
"matchCriteriaId": "DA46E89A-565E-439D-BCB2-6CEE44EFDFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0A0C3E7A-1F5B-4926-A69F-0D4BB54E52D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.20:*:*:*:*:*:*:*",
"matchCriteriaId": "B33D950D-83A0-446E-A55D-D4DB42734B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.21:*:*:*:*:*:*:*",
"matchCriteriaId": "25A066E2-FE6B-40F9-A05C-BAF461A71409",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.22:*:*:*:*:*:*:*",
"matchCriteriaId": "6FA07E2C-68C3-4B99-B497-F6D6207903B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.23:*:*:*:*:*:*:*",
"matchCriteriaId": "83918300-255F-4EC8-AA1A-FDC19FBB2D12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.24:*:*:*:*:*:*:*",
"matchCriteriaId": "28D22D2F-8487-4B8D-97DD-743114A37EAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B2CB5DC6-F7D3-45C3-86FC-150216F08A35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate."
},
{
"lang": "es",
"value": "lighttpd anterior a v1.4.26 y v1.5.x, reserva un b\u00fafer por cada operaci\u00f3n de lectura para cada petici\u00f3n, lo que permite a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de memoria) rompiendo la petici\u00f3n en peque\u00f1os pedazos que son enviados a baja velocidad."
}
],
"id": "CVE-2010-0295",
"lastModified": "2024-11-21T01:11:55.347",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-02-03T19:30:00.467",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://blogs.sun.com/security/entry/cve_2010_0295_vulnerability_in"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.x_fix_slow_request_dos.patch"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.5_fix_slow_request_dos.patch"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041264.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041296.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041307.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00003.html"
},
{
"source": "secalert@redhat.com",
"url": "http://redmine.lighttpd.net/issues/2147"
},
{
"source": "secalert@redhat.com",
"url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710"
},
{
"source": "secalert@redhat.com",
"url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38403"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/39765"
},
{
"source": "secalert@redhat.com",
"url": "http://security.gentoo.org/glsa/glsa-201006-17.xml"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2010/dsa-1987"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/02/01/8"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/38036"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2011/0172"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56038"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://blogs.sun.com/security/entry/cve_2010_0295_vulnerability_in"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.x_fix_slow_request_dos.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.5_fix_slow_request_dos.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041264.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041296.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041307.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://redmine.lighttpd.net/issues/2147"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38403"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/39765"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-201006-17.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2010/dsa-1987"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/02/01/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/38036"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0172"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56038"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-07-24 00:30
Modified
2024-11-21 00:34
Severity ?
Summary
request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fault.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "280F8BA1-34E8-4A93-871C-49E6F6826F2C",
"versionEndIncluding": "1.4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fault."
},
{
"lang": "es",
"value": "request.c en lighttpd 1.4.15 permite a atacantes remotos provocar denegaci\u00f3n de servicio (caida de demonio) a trav\u00e9s del env\u00edo de una respuesta HTTP con cabeceras duplicadas, como se demostr\u00f3 con una respuesta que contiene dos lineas de cabecera Location, el cual deriva en un fallo de segmentaci\u00f3n."
}
],
"evaluatorSolution": "Vendor has addressed this vulnerability in an upgrade: http://trac.lighttpd.net/trac/",
"id": "CVE-2007-3947",
"lastModified": "2024-11-21T00:34:26.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-07-24T00:30:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/38313"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26130"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26158"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26505"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26593"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/changeset/1869"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/ticket/1232"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/38313"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26158"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26593"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/changeset/1869"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/ticket/1232"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/2585"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-11-07 05:29
Modified
2024-11-21 03:57
Severity ?
Summary
An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00054.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1 | Exploit, Vendor Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2022/01/msg00012.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00054.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2022/01/msg00012.html | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | * | |
| opensuse | backports_sle | 15.0 | |
| opensuse | backports_sle | 15.0 | |
| opensuse | leap | 15.0 | |
| opensuse | leap | 15.1 | |
| suse | suse_linux_enterprise_server | 11 | |
| suse | suse_linux_enterprise_server | 11 | |
| suse | suse_linux_enterprise_server | 12 | |
| suse | suse_linux_enterprise_server | 12 | |
| suse | suse_linux_enterprise_server | 12 | |
| suse | suse_linux_enterprise_server | 12 | |
| suse | suse_linux_enterprise_server | 12 | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98F929BB-28DA-4990-B923-BF682E3F5965",
"versionEndExcluding": "1.4.50",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D83DA865-E4A6-4FBF-AA1B-A969EBA6B2AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*",
"matchCriteriaId": "40513095-7E6E-46B3-B604-C926F1BA3568",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp3:*:*:*:*:*:*",
"matchCriteriaId": "DD4BBD63-E038-45CE-9537-D96831E99A06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp4:*:*:*:*:*:*",
"matchCriteriaId": "41E76620-EC14-4D2B-828F-53F26DEA5DDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*",
"matchCriteriaId": "9C649194-B8C2-49F7-A819-C635EE584ABF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:suse_linux_enterprise_server:12:sp1:*:*:*:*:*:*",
"matchCriteriaId": "06F182F1-8B69-4E1E-B058-27002046E999",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:suse_linux_enterprise_server:12:sp2:*:*:*:*:*:*",
"matchCriteriaId": "5A7ED7DD-A7D2-4A71-8415-26103530AB2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:suse_linux_enterprise_server:12:sp3:*:*:*:*:*:*",
"matchCriteriaId": "CEF98D6C-3C80-4A42-B14B-22D69BC1F4C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:suse_linux_enterprise_server:12:sp4:*:*:*:*:*:*",
"matchCriteriaId": "DF6890E9-C113-4DB0-BB63-193834B6E5A9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing \u0027/\u0027 character, but the alias target filesystem path does have a trailing \u0027/\u0027 character."
},
{
"lang": "es",
"value": "Se ha descubierto un problema en mod_alias_physical_handler en mod_alias.c en lighttpd en versiones anteriores a la 1.4.50. Hay un salto de directorio ../ de un \u00fanico directorio sobre el alias objetivo, con una configuraci\u00f3n mod_alias espec\u00edfica en la que el alias coincidente carece de un car\u00e1cter \"/\" final, pero el sistema de archivos del alias objetivo s\u00ed tiene un car\u00e1cter \"/\" final."
}
],
"id": "CVE-2018-19052",
"lastModified": "2024-11-21T03:57:14.017",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-11-07T05:29:00.343",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00054.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00012.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00054.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00012.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 15:55
Modified
2024-11-21 02:06
Severity ?
Summary
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lighttpd | lighttpd | * | |
| debian | debian_linux | 6.0 | |
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 | |
| opensuse | opensuse | 11.4 | |
| opensuse | opensuse | 12.3 | |
| opensuse | opensuse | 13.1 | |
| suse | linux_enterprise_high_availability_extension | 11 | |
| suse | linux_enterprise_software_development_kit | 11 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "073885C4-B20B-46CA-8187-D644E5A53877",
"versionEndExcluding": "1.4.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DE554781-1EB9-446E-911F-6C11970C47F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:linux_enterprise_high_availability_extension:11:sp3:*:*:*:*:*:*",
"matchCriteriaId": "A3A907A3-2A3A-46D4-8D75-914649877B65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp3:*:*:*:*:*:*",
"matchCriteriaId": "2F7F8866-DEAD-44D1-AB10-21EE611AA026",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en mod_mysql_vhost.c en lighttpd anterior a 1.4.35 permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s del nombre de host, relacionado con request_check_hostname."
}
],
"id": "CVE-2014-2323",
"lastModified": "2024-11-21T02:06:04.480",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2014-03-14T15:55:05.743",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q1/561"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q1/564"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/57404"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/57514"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-2877"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/2014/3/12/1.4.35/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q1/561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q1/564"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/57404"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/57514"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-2877"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.lighttpd.net/2014/3/12/1.4.35/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-09-27 10:30
Modified
2024-11-21 00:51
Severity ?
Summary
Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78C95091-A48E-4C17-BB2C-ED771DDDF6D4",
"versionEndIncluding": "1.4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2549EBF-E4B6-4574-BCD8-9DB5F195C9AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B29F5471-E2A9-421D-A1B5-F0B1444CA9AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F44FDF24-03A1-43F3-9D9E-F744F0A1AC3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A4B990A8-B28C-4A4C-89AB-50C754EF6491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "55C0A9A3-E628-4AA8-8676-81A8528CC174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8119BEB6-5CBC-4279-9BDE-53ADF1A55F44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "211959AC-B76B-4E87-8A08-7789B47F823E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B10DF110-D68E-448F-8BEE-39E0B569596D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "1A4B7EDE-CA57-4FB2-8306-924FC8BD9C7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "769931EC-F36A-4F72-A836-85B65CA815C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D4FE8C27-6822-4AA2-AB80-D29871C74DC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6FB702A9-C175-477C-B4C7-30AF7DB26165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "08784A81-A00C-4FBD-9A79-35D139FA3079",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "957A7575-FCAB-4C6B-93C8-C9065B412D8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1BE481AA-EF32-47AD-846A-FEDE38637680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "FFC56FD6-481A-4D60-BAF3-C988AA2395D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "5C691300-EA97-4F67-9C27-3C44FE22E283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0D09EDA-6E8F-4535-98ED-D972940E2E54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E384FD34-327C-40E7-9043-67BC69E6A52B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B922D725-F31A-453B-B396-6C7FE0D4844B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EB61C0DE-BAEB-4D65-91EA-D34BA0BEFC49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C395148E-BF0E-4C27-B903-444238736B1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0C001488-5A41-45F8-A270-C184728C1614",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AAA6EA41-CE55-4854-A5FA-4A49D1A648BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D7FE9EF8-936E-4351-B512-02B181C4DF5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.8:*:*:*:*:*:*:*",
"matchCriteriaId": "16152422-AE34-4970-95B5-440CE8821A05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "F8D34AB8-5DDD-421F-9C9D-65B6B10EDC7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.10:*:*:*:*:*:*:*",
"matchCriteriaId": "53143B04-BB2D-4C40-83B1-8BF8BC6547E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "589775AF-21DF-4E41-BFE6-41E4FAAB0F28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "E35D1709-6B2C-4F22-9948-F69F88F9156A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.13:*:*:*:*:*:*:*",
"matchCriteriaId": "B4949447-0590-4F76-A00E-1EB94FB7621F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.14:*:*:*:*:*:*:*",
"matchCriteriaId": "FAF5B9E9-8BB5-42A6-AF87-5CEE31D2EDC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.15:*:*:*:*:*:*:*",
"matchCriteriaId": "518A4727-ECB7-41C4-8DF5-5375BA5281C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.3.16:*:*:*:*:*:*:*",
"matchCriteriaId": "17207B51-0E7F-4AD2-8AC4-5A5CDC5CDEE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "45FC99E1-57D4-4B12-BA26-090142B7CBC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "21E0FB64-62A3-4875-AFF1-CF4D1E7BA0D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "068AD0FA-306D-4C29-857C-21C6067287E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1125A525-36BA-43E1-A316-6BB33DCEC672",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A7E488CF-A3F1-4C8B-A92A-8764FA1E6032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A5DEAF46-95C2-4187-AF5A-FB8CB2E6FD04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "24C0ECA9-5A9F-47CA-B8CA-28C7324EC722",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F8F89B-5A10-4EE3-A035-1CEA44B1691A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F89FCD49-0C73-4E73-9D99-38700B622A06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FFA9AF51-F423-4167-88AB-5BF916BCC273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A21B3F82-1C1D-46EE-92EF-46F7F590957E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "482312DE-D483-42EC-B8B3-C71CE088C7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "D5549E74-A7A7-4D99-B08B-C6ACFB3917FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "72ABD4D8-8AD9-45E5-8FF5-FA947AC07F49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "0EC04CE1-4C31-42B7-A92D-38393F549014",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "F79EED03-A95B-4636-A0AA-1F9E72DEF930",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "176D53A7-A81C-4C1F-A7B8-90604A9545F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.17:*:*:*:*:*:*:*",
"matchCriteriaId": "8372FF7B-CF9B-4963-AB53-704E87AF3540",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:lighttpd:lighttpd:1.4.18:*:*:*:*:*:*:*",
"matchCriteriaId": "DA46E89A-565E-439D-BCB2-6CEE44EFDFAC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers."
},
{
"lang": "es",
"value": "Fugas de memoria en la funci\u00f3n http_request_parse en request.c en lighttpd anteriores a v1.4.20 permite a atacantes remotos causar denegaci\u00f3n de servicio (corrupci\u00f3n de memoria) a trav\u00e9s de un gran n\u00famero de peticiones con cabeceras de peticiones duplicadas."
}
],
"id": "CVE-2008-4298",
"lastModified": "2024-11-21T00:51:20.010",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-09-27T10:30:03.680",
"references": [
{
"source": "cve@mitre.org",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=238180"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/32069"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/32132"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/32480"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/32834"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/32972"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
},
{
"source": "cve@mitre.org",
"url": "http://trac.lighttpd.net/trac/changeset/2305"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://trac.lighttpd.net/trac/ticket/1774"
},
{
"source": "cve@mitre.org",
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"source": "cve@mitre.org",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"source": "cve@mitre.org",
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/09/26/5"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/31434"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45471"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=238180"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32069"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32132"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32480"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32834"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32972"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.lighttpd.net/trac/changeset/2305"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://trac.lighttpd.net/trac/ticket/1774"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/09/26/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31434"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45471"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2007-3946
Vulnerability from cvelistv5
Published
2007-07-24 00:00
Modified
2024-08-07 14:37
Severity ?
EPSS score ?
Summary
mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:37:05.572Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "26158",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26158"
},
{
"name": "38314",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/38314"
},
{
"name": "ADV-2007-2585",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.rpath.com/browse/RPL-1550"
},
{
"name": "26130",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26130"
},
{
"name": "38316",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/38316"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "38317",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/38317"
},
{
"name": "26593",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26593"
},
{
"name": "DSA-1362",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/1875"
},
{
"name": "GLSA-200708-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/browser/branches/lighttpd-1.4.x/NEWS?rev=1875"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.rpath.com/browse/RPL-1554"
},
{
"name": "SUSE-SR:2007:015",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "38315",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/38315"
},
{
"name": "26505",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26505"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-07-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "26158",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26158"
},
{
"name": "38314",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/38314"
},
{
"name": "ADV-2007-2585",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.rpath.com/browse/RPL-1550"
},
{
"name": "26130",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26130"
},
{
"name": "38316",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/38316"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "38317",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/38317"
},
{
"name": "26593",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26593"
},
{
"name": "DSA-1362",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://trac.lighttpd.net/trac/changeset/1875"
},
{
"name": "GLSA-200708-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/browser/branches/lighttpd-1.4.x/NEWS?rev=1875"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.rpath.com/browse/RPL-1554"
},
{
"name": "SUSE-SR:2007:015",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "38315",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/38315"
},
{
"name": "26505",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26505"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3946",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "26158",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26158"
},
{
"name": "38314",
"refsource": "OSVDB",
"url": "http://osvdb.org/38314"
},
{
"name": "ADV-2007-2585",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "https://issues.rpath.com/browse/RPL-1550",
"refsource": "CONFIRM",
"url": "https://issues.rpath.com/browse/RPL-1550"
},
{
"name": "26130",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26130"
},
{
"name": "38316",
"refsource": "OSVDB",
"url": "http://osvdb.org/38316"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "38317",
"refsource": "OSVDB",
"url": "http://osvdb.org/38317"
},
{
"name": "26593",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26593"
},
{
"name": "DSA-1362",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/1875",
"refsource": "MISC",
"url": "http://trac.lighttpd.net/trac/changeset/1875"
},
{
"name": "GLSA-200708-11",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"name": "http://trac.lighttpd.net/trac/browser/branches/lighttpd-1.4.x/NEWS?rev=1875",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/browser/branches/lighttpd-1.4.x/NEWS?rev=1875"
},
{
"name": "https://issues.rpath.com/browse/RPL-1554",
"refsource": "CONFIRM",
"url": "https://issues.rpath.com/browse/RPL-1554"
},
{
"name": "SUSE-SR:2007:015",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "38315",
"refsource": "OSVDB",
"url": "http://osvdb.org/38315"
},
{
"name": "26505",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26505"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3946",
"datePublished": "2007-07-24T00:00:00",
"dateReserved": "2007-07-23T00:00:00",
"dateUpdated": "2024-08-07T14:37:05.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-2323
Vulnerability from cvelistv5
Published
2014-03-14 15:00
Modified
2024-08-06 10:06
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:06:00.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/2014/3/12/1.4.35/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt"
},
{
"name": "DSA-2877",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2877"
},
{
"name": "openSUSE-SU-2014:0449",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html"
},
{
"name": "57514",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57514"
},
{
"name": "HPSBGN03191",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"name": "openSUSE-SU-2014:0496",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html"
},
{
"name": "SUSE-SU-2014:0474",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html"
},
{
"name": "57404",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57404"
},
{
"name": "[oss-security] 20140312 Re: lighttpd 1.4.34 SQL injection and path traversal CVE request",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q1/564"
},
{
"name": "[oss-security] 20140312 lighttpd 1.4.34 SQL injection and path traversal CVE request",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q1/561"
},
{
"name": "JVN#37417423",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T04:06:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/2014/3/12/1.4.35/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt"
},
{
"name": "DSA-2877",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2877"
},
{
"name": "openSUSE-SU-2014:0449",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html"
},
{
"name": "57514",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57514"
},
{
"name": "HPSBGN03191",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"name": "openSUSE-SU-2014:0496",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html"
},
{
"name": "SUSE-SU-2014:0474",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html"
},
{
"name": "57404",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57404"
},
{
"name": "[oss-security] 20140312 Re: lighttpd 1.4.34 SQL injection and path traversal CVE request",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2014/q1/564"
},
{
"name": "[oss-security] 20140312 lighttpd 1.4.34 SQL injection and path traversal CVE request",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2014/q1/561"
},
{
"name": "JVN#37417423",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2323",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.lighttpd.net/2014/3/12/1.4.35/",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/2014/3/12/1.4.35/"
},
{
"name": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt",
"refsource": "CONFIRM",
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt"
},
{
"name": "DSA-2877",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2877"
},
{
"name": "openSUSE-SU-2014:0449",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html"
},
{
"name": "57514",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57514"
},
{
"name": "HPSBGN03191",
"refsource": "HP",
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"name": "openSUSE-SU-2014:0496",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html"
},
{
"name": "SUSE-SU-2014:0474",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html"
},
{
"name": "57404",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57404"
},
{
"name": "[oss-security] 20140312 Re: lighttpd 1.4.34 SQL injection and path traversal CVE request",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2014/q1/564"
},
{
"name": "[oss-security] 20140312 lighttpd 1.4.34 SQL injection and path traversal CVE request",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2014/q1/561"
},
{
"name": "JVN#37417423",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2323",
"datePublished": "2014-03-14T15:00:00",
"dateReserved": "2014-03-12T00:00:00",
"dateUpdated": "2024-08-06T10:06:00.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-25103
Vulnerability from cvelistv5
Published
2024-06-17 18:02
Modified
2024-08-05 12:33
Severity ?
EPSS score ?
Summary
There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "lighttpd",
"vendor": "lighttpd",
"versions": [
{
"lessThanOrEqual": "1.4.50",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2018-25103",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-01T20:51:04.704950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T20:51:27.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:33:49.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://blogvdoo.wordpress.com/2018/11/06/giving-back-securing-open-source-iot-projects/#more-736"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.runzero.com/blog/lighttpd/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8"
},
{
"tags": [
"x_transferred"
],
"url": "https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/2024/AMI-SA-2024002.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/312260"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "lighttpd",
"vendor": "lighttpd",
"versions": [
{
"lessThanOrEqual": "1.4.50",
"status": "affected",
"version": "*",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks to VDOO Embedded Security part of JFROG for reporting the vulnerability in the If-Modified-Since header with line folding, and thanks to Marcus Wengelin for reporting the vulnerability in the Range header with a specially crafted pair of Range headers."
}
],
"descriptions": [
{
"lang": "en",
"value": "There exists use-after-free vulnerabilities in lighttpd \u003c= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-416: Use After Free",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T14:42:06.145Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://blogvdoo.wordpress.com/2018/11/06/giving-back-securing-open-source-iot-projects/#more-736"
},
{
"url": "https://www.runzero.com/blog/lighttpd/"
},
{
"url": "https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9"
},
{
"url": "https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8"
},
{
"url": "https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/2024/AMI-SA-2024002.pdf"
},
{
"url": "https://www.kb.cert.org/vuls/id/312260"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Use-after-free vulnerabilities in lighttpd \u003c= 1.4.50",
"x_generator": {
"engine": "VINCE 3.0.4",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2018-25103"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2018-25103",
"datePublished": "2024-06-17T18:02:57.162Z",
"dateReserved": "2024-06-17T17:47:24.277Z",
"dateUpdated": "2024-08-05T12:33:49.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-1531
Vulnerability from cvelistv5
Published
2008-03-27 23:00
Modified
2024-08-07 08:24
Severity ?
EPSS score ?
Summary
The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:24:42.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/ticket/285#comment:21"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.rpath.com/browse/RPL-2407"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=214892"
},
{
"name": "DSA-1540",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1540"
},
{
"name": "SUSE-SR:2008:011",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html"
},
{
"name": "43788",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/43788"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/2136"
},
{
"name": "FEDORA-2008-3343",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00562.html"
},
{
"name": "GLSA-200804-08",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200804-08.xml"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/ticket/285#comment:18"
},
{
"name": "30023",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/30023"
},
{
"name": "29505",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29505"
},
{
"name": "20080331 rPSA-2008-0132-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/490323/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0132"
},
{
"name": "28489",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28489"
},
{
"name": "29636",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29636"
},
{
"name": "ADV-2008-1063",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/1063/references"
},
{
"name": "29544",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29544"
},
{
"name": "lighttpd-sslerror-dos(41545)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41545"
},
{
"name": "29649",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29649"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/2140"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/2139"
},
{
"name": "FEDORA-2008-3376",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00587.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-03-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://trac.lighttpd.net/trac/ticket/285#comment:21"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.rpath.com/browse/RPL-2407"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=214892"
},
{
"name": "DSA-1540",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1540"
},
{
"name": "SUSE-SR:2008:011",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html"
},
{
"name": "43788",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/43788"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/2136"
},
{
"name": "FEDORA-2008-3343",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00562.html"
},
{
"name": "GLSA-200804-08",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200804-08.xml"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://trac.lighttpd.net/trac/ticket/285#comment:18"
},
{
"name": "30023",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/30023"
},
{
"name": "29505",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29505"
},
{
"name": "20080331 rPSA-2008-0132-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/490323/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0132"
},
{
"name": "28489",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28489"
},
{
"name": "29636",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29636"
},
{
"name": "ADV-2008-1063",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/1063/references"
},
{
"name": "29544",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29544"
},
{
"name": "lighttpd-sslerror-dos(41545)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41545"
},
{
"name": "29649",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29649"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/2140"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/2139"
},
{
"name": "FEDORA-2008-3376",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00587.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-1531",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://trac.lighttpd.net/trac/ticket/285#comment:21",
"refsource": "MISC",
"url": "http://trac.lighttpd.net/trac/ticket/285#comment:21"
},
{
"name": "https://issues.rpath.com/browse/RPL-2407",
"refsource": "CONFIRM",
"url": "https://issues.rpath.com/browse/RPL-2407"
},
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=214892",
"refsource": "CONFIRM",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=214892"
},
{
"name": "DSA-1540",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1540"
},
{
"name": "SUSE-SR:2008:011",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html"
},
{
"name": "43788",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/43788"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/2136",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/2136"
},
{
"name": "FEDORA-2008-3343",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00562.html"
},
{
"name": "GLSA-200804-08",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200804-08.xml"
},
{
"name": "http://trac.lighttpd.net/trac/ticket/285#comment:18",
"refsource": "MISC",
"url": "http://trac.lighttpd.net/trac/ticket/285#comment:18"
},
{
"name": "30023",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/30023"
},
{
"name": "29505",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29505"
},
{
"name": "20080331 rPSA-2008-0132-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/490323/100/0/threaded"
},
{
"name": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0132",
"refsource": "CONFIRM",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0132"
},
{
"name": "28489",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28489"
},
{
"name": "29636",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29636"
},
{
"name": "ADV-2008-1063",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/1063/references"
},
{
"name": "29544",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29544"
},
{
"name": "lighttpd-sslerror-dos(41545)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41545"
},
{
"name": "29649",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29649"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/2140",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/2140"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/2139",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/2139"
},
{
"name": "FEDORA-2008-3376",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00587.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-1531",
"datePublished": "2008-03-27T23:00:00",
"dateReserved": "2008-03-27T00:00:00",
"dateUpdated": "2024-08-07T08:24:42.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-22707
Vulnerability from cvelistv5
Published
2022-01-06 05:55
Modified
2024-08-03 03:21
Severity ?
EPSS score ?
Summary
In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://redmine.lighttpd.net/issues/3134 | x_refsource_MISC | |
| https://www.debian.org/security/2022/dsa-5040 | vendor-advisory, x_refsource_DEBIAN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:48.853Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.lighttpd.net/issues/3134"
},
{
"name": "DSA-5040",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5040"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.lighttpd.net/issues/3134"
},
{
"name": "DSA-5040",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5040"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-22707",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://redmine.lighttpd.net/issues/3134",
"refsource": "MISC",
"url": "https://redmine.lighttpd.net/issues/3134"
},
{
"name": "DSA-5040",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5040"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-22707",
"datePublished": "2022-01-06T05:55:30",
"dateReserved": "2022-01-06T00:00:00",
"dateUpdated": "2024-08-03T03:21:48.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-1870
Vulnerability from cvelistv5
Published
2007-04-18 02:20
Modified
2024-08-07 13:13
Severity ?
EPSS score ?
Summary
lighttpd before 1.4.14 allows attackers to cause a denial of service (crash) via a request to a file whose mtime is 0, which results in a NULL pointer dereference.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T13:13:41.739Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "25613",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/25613"
},
{
"name": "GLSA-200705-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200705-07.xml"
},
{
"name": "ADV-2007-1399",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/1399"
},
{
"name": "24947",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/24947"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_02.txt"
},
{
"name": "SUSE-SR:2007:007",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2007_007_suse.html"
},
{
"name": "24995",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/24995"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.rpath.com/browse/RPL-1218"
},
{
"name": "DSA-1303",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2007/dsa-1303"
},
{
"name": "lighttpd-mtime-dos(33678)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33678"
},
{
"name": "23515",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/23515"
},
{
"name": "20070420 FLEA-2007-0011-1: lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/466464/30/6900/threaded"
},
{
"name": "25166",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/25166"
},
{
"name": "24886",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/24886"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-04-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "lighttpd before 1.4.14 allows attackers to cause a denial of service (crash) via a request to a file whose mtime is 0, which results in a NULL pointer dereference."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "25613",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/25613"
},
{
"name": "GLSA-200705-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200705-07.xml"
},
{
"name": "ADV-2007-1399",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/1399"
},
{
"name": "24947",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/24947"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_02.txt"
},
{
"name": "SUSE-SR:2007:007",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2007_007_suse.html"
},
{
"name": "24995",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/24995"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.rpath.com/browse/RPL-1218"
},
{
"name": "DSA-1303",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2007/dsa-1303"
},
{
"name": "lighttpd-mtime-dos(33678)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33678"
},
{
"name": "23515",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/23515"
},
{
"name": "20070420 FLEA-2007-0011-1: lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/466464/30/6900/threaded"
},
{
"name": "25166",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/25166"
},
{
"name": "24886",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/24886"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-1870",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lighttpd before 1.4.14 allows attackers to cause a denial of service (crash) via a request to a file whose mtime is 0, which results in a NULL pointer dereference."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "25613",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/25613"
},
{
"name": "GLSA-200705-07",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200705-07.xml"
},
{
"name": "ADV-2007-1399",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/1399"
},
{
"name": "24947",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/24947"
},
{
"name": "http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_02.txt",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_02.txt"
},
{
"name": "SUSE-SR:2007:007",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2007_007_suse.html"
},
{
"name": "24995",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/24995"
},
{
"name": "https://issues.rpath.com/browse/RPL-1218",
"refsource": "CONFIRM",
"url": "https://issues.rpath.com/browse/RPL-1218"
},
{
"name": "DSA-1303",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2007/dsa-1303"
},
{
"name": "lighttpd-mtime-dos(33678)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33678"
},
{
"name": "23515",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/23515"
},
{
"name": "20070420 FLEA-2007-0011-1: lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/466464/30/6900/threaded"
},
{
"name": "25166",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/25166"
},
{
"name": "24886",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/24886"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-1870",
"datePublished": "2007-04-18T02:20:00",
"dateReserved": "2007-04-05T00:00:00",
"dateUpdated": "2024-08-07T13:13:41.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2006-0814
Vulnerability from cvelistv5
Published
2006-03-06 21:00
Modified
2024-08-07 16:48
Severity ?
EPSS score ?
Summary
response.c in Lighttpd 1.4.10 and possibly previous versions, when run on Windows, allows remote attackers to read arbitrary source code via requests that contain trailing (1) "." (dot) and (2) space characters, which are ignored by Windows, as demonstrated by PHP files.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/426446/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://trac.lighttpd.net/trac/changeset/1005 | x_refsource_CONFIRM | |
| http://www.osvdb.org/23542 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/18886 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.vupen.com/english/advisories/2006/0782 | vdb-entry, x_refsource_VUPEN | |
| http://securityreason.com/securityalert/523 | third-party-advisory, x_refsource_SREASON | |
| http://www.securityfocus.com/bid/16893 | vdb-entry, x_refsource_BID | |
| http://secunia.com/secunia_research/2006-9/advisory/ | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/24976 | vdb-entry, x_refsource_XF | |
| http://securitytracker.com/id?1015703 | vdb-entry, x_refsource_SECTRACK |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T16:48:56.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20060301 Secunia Research: Lighttpd Script Source Disclosure Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/426446/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/1005"
},
{
"name": "23542",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/23542"
},
{
"name": "18886",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/18886"
},
{
"name": "ADV-2006-0782",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/0782"
},
{
"name": "523",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/523"
},
{
"name": "16893",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/16893"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://secunia.com/secunia_research/2006-9/advisory/"
},
{
"name": "lighttpd-source-code-disclosure(24976)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24976"
},
{
"name": "1015703",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1015703"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "response.c in Lighttpd 1.4.10 and possibly previous versions, when run on Windows, allows remote attackers to read arbitrary source code via requests that contain trailing (1) \".\" (dot) and (2) space characters, which are ignored by Windows, as demonstrated by PHP files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-18T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20060301 Secunia Research: Lighttpd Script Source Disclosure Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/426446/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/1005"
},
{
"name": "23542",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/23542"
},
{
"name": "18886",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/18886"
},
{
"name": "ADV-2006-0782",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/0782"
},
{
"name": "523",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/523"
},
{
"name": "16893",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/16893"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://secunia.com/secunia_research/2006-9/advisory/"
},
{
"name": "lighttpd-source-code-disclosure(24976)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24976"
},
{
"name": "1015703",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1015703"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-0814",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "response.c in Lighttpd 1.4.10 and possibly previous versions, when run on Windows, allows remote attackers to read arbitrary source code via requests that contain trailing (1) \".\" (dot) and (2) space characters, which are ignored by Windows, as demonstrated by PHP files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20060301 Secunia Research: Lighttpd Script Source Disclosure Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/426446/100/0/threaded"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/1005",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/1005"
},
{
"name": "23542",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/23542"
},
{
"name": "18886",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/18886"
},
{
"name": "ADV-2006-0782",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/0782"
},
{
"name": "523",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/523"
},
{
"name": "16893",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/16893"
},
{
"name": "http://secunia.com/secunia_research/2006-9/advisory/",
"refsource": "MISC",
"url": "http://secunia.com/secunia_research/2006-9/advisory/"
},
{
"name": "lighttpd-source-code-disclosure(24976)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24976"
},
{
"name": "1015703",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1015703"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-0814",
"datePublished": "2006-03-06T21:00:00",
"dateReserved": "2006-02-21T00:00:00",
"dateUpdated": "2024-08-07T16:48:56.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-3200
Vulnerability from cvelistv5
Published
2015-06-09 14:00
Modified
2024-08-06 05:39
Severity ?
EPSS score ?
Summary
mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/74813 | vdb-entry, x_refsource_BID | |
| https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05247375 | x_refsource_CONFIRM | |
| http://redmine.lighttpd.net/issues/2646 | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1032405 | vdb-entry, x_refsource_SECTRACK | |
| http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163223.html | vendor-advisory, x_refsource_FEDORA | |
| http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163286.html | vendor-advisory, x_refsource_FEDORA | |
| http://jaanuskp.blogspot.com/2015/05/cve-2015-3200.html | x_refsource_MISC | |
| http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html | x_refsource_CONFIRM | |
| https://kc.mcafee.com/corporate/index?page=content&id=SB10310 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:39:31.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "74813",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74813"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05247375"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://redmine.lighttpd.net/issues/2646"
},
{
"name": "1032405",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1032405"
},
{
"name": "FEDORA-2015-12252",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163223.html"
},
{
"name": "FEDORA-2015-12250",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163286.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jaanuskp.blogspot.com/2015/05/cve-2015-3200.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10310"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-18T07:06:06",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "74813",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74813"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05247375"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://redmine.lighttpd.net/issues/2646"
},
{
"name": "1032405",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1032405"
},
{
"name": "FEDORA-2015-12252",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163223.html"
},
{
"name": "FEDORA-2015-12250",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163286.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jaanuskp.blogspot.com/2015/05/cve-2015-3200.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10310"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-3200",
"datePublished": "2015-06-09T14:00:00",
"dateReserved": "2015-04-10T00:00:00",
"dateUpdated": "2024-08-06T05:39:31.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-3947
Vulnerability from cvelistv5
Published
2007-07-24 00:00
Modified
2024-08-07 14:37
Severity ?
EPSS score ?
Summary
request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fault.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/26158 | third-party-advisory, x_refsource_SECUNIA | |
| http://trac.lighttpd.net/trac/changeset/1869 | x_refsource_MISC | |
| http://osvdb.org/38313 | vdb-entry, x_refsource_OSVDB | |
| http://www.vupen.com/english/advisories/2007/2585 | vdb-entry, x_refsource_VUPEN | |
| http://secunia.com/advisories/26130 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/archive/1/474131/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/24967 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/26593 | third-party-advisory, x_refsource_SECUNIA | |
| http://trac.lighttpd.net/trac/ticket/1232 | x_refsource_CONFIRM | |
| http://www.debian.org/security/2007/dsa-1362 | vendor-advisory, x_refsource_DEBIAN | |
| http://security.gentoo.org/glsa/glsa-200708-11.xml | vendor-advisory, x_refsource_GENTOO | |
| http://www.novell.com/linux/security/advisories/2007_15_sr.html | vendor-advisory, x_refsource_SUSE | |
| http://secunia.com/advisories/26505 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:37:05.379Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "26158",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26158"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/1869"
},
{
"name": "38313",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/38313"
},
{
"name": "ADV-2007-2585",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "26130",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26130"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "26593",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26593"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/ticket/1232"
},
{
"name": "DSA-1362",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"name": "GLSA-200708-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"name": "SUSE-SR:2007:015",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "26505",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26505"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-06-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fault."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "26158",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26158"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://trac.lighttpd.net/trac/changeset/1869"
},
{
"name": "38313",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/38313"
},
{
"name": "ADV-2007-2585",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "26130",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26130"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "26593",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26593"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/ticket/1232"
},
{
"name": "DSA-1362",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"name": "GLSA-200708-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"name": "SUSE-SR:2007:015",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "26505",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26505"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3947",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fault."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "26158",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26158"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/1869",
"refsource": "MISC",
"url": "http://trac.lighttpd.net/trac/changeset/1869"
},
{
"name": "38313",
"refsource": "OSVDB",
"url": "http://osvdb.org/38313"
},
{
"name": "ADV-2007-2585",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "26130",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26130"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "26593",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26593"
},
{
"name": "http://trac.lighttpd.net/trac/ticket/1232",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/ticket/1232"
},
{
"name": "DSA-1362",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"name": "GLSA-200708-11",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"name": "SUSE-SR:2007:015",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "26505",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26505"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3947",
"datePublished": "2007-07-24T00:00:00",
"dateReserved": "2007-07-23T00:00:00",
"dateUpdated": "2024-08-07T14:37:05.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-4360
Vulnerability from cvelistv5
Published
2008-10-03 17:18
Modified
2024-08-07 10:17
Severity ?
EPSS score ?
Summary
mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:17:08.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "32069",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32069"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch"
},
{
"name": "32972",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32972"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"name": "31600",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31600"
},
{
"name": "32834",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32834"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/2283"
},
{
"name": "lighttpd-moduserdir-info-disclosure(45689)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45689"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"name": "32132",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32132"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/2308"
},
{
"name": "[oss-security] 20080930 Re: CVE request: lighttpd issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/1"
},
{
"name": "20081030 rPSA-2008-0309-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"name": "ADV-2008-2741",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"name": "DSA-1645",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"name": "[oss-security] 20080930 Re: Re: CVE request: lighttpd issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/3"
},
{
"name": "[oss-security] 20080930 Re: CVE request: lighttpd issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/2"
},
{
"name": "32480",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32480"
},
{
"name": "SUSE-SR:2008:026",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/ticket/1589"
},
{
"name": "GLSA-200812-04",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-09-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "32069",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32069"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch"
},
{
"name": "32972",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32972"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"name": "31600",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31600"
},
{
"name": "32834",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32834"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/2283"
},
{
"name": "lighttpd-moduserdir-info-disclosure(45689)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45689"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"name": "32132",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32132"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/2308"
},
{
"name": "[oss-security] 20080930 Re: CVE request: lighttpd issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/1"
},
{
"name": "20081030 rPSA-2008-0309-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"name": "ADV-2008-2741",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"name": "DSA-1645",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"name": "[oss-security] 20080930 Re: Re: CVE request: lighttpd issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/3"
},
{
"name": "[oss-security] 20080930 Re: CVE request: lighttpd issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/2"
},
{
"name": "32480",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32480"
},
{
"name": "SUSE-SR:2008:026",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/ticket/1589"
},
{
"name": "GLSA-200812-04",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-4360",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "32069",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32069"
},
{
"name": "http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch"
},
{
"name": "32972",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32972"
},
{
"name": "http://wiki.rpath.com/Advisories:rPSA-2008-0309",
"refsource": "CONFIRM",
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"name": "31600",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31600"
},
{
"name": "32834",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32834"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/2283",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/2283"
},
{
"name": "lighttpd-moduserdir-info-disclosure(45689)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45689"
},
{
"name": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309",
"refsource": "CONFIRM",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"name": "32132",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32132"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/2308",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/2308"
},
{
"name": "[oss-security] 20080930 Re: CVE request: lighttpd issues",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2008/09/30/1"
},
{
"name": "20081030 rPSA-2008-0309-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"name": "ADV-2008-2741",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"name": "DSA-1645",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"name": "[oss-security] 20080930 Re: Re: CVE request: lighttpd issues",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2008/09/30/3"
},
{
"name": "[oss-security] 20080930 Re: CVE request: lighttpd issues",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2008/09/30/2"
},
{
"name": "32480",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32480"
},
{
"name": "SUSE-SR:2008:026",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"name": "http://trac.lighttpd.net/trac/ticket/1589",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/ticket/1589"
},
{
"name": "GLSA-200812-04",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
},
{
"name": "http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-4360",
"datePublished": "2008-10-03T17:18:00",
"dateReserved": "2008-09-30T00:00:00",
"dateUpdated": "2024-08-07T10:17:08.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-4727
Vulnerability from cvelistv5
Published
2007-09-12 19:00
Modified
2024-08-07 15:08
Severity ?
EPSS score ?
Summary
Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18 allows remote attackers to overwrite arbitrary CGI variables and execute arbitrary code via an HTTP request with a long content length, as demonstrated by overwriting the SCRIPT_FILENAME variable, aka a "header overflow."
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T15:08:33.521Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.rpath.com/browse/RPL-1715"
},
{
"name": "20070917 FLEA-2007-0054-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/479763/100/0/threaded"
},
{
"name": "FEDORA-2007-2132",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://fedoranews.org/updates/FEDORA-2007-213.shtml"
},
{
"name": "26732",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26732"
},
{
"name": "GLSA-200709-16",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://www.gentoo.org/security/en/glsa/glsa-200709-16.xml"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/"
},
{
"name": "25622",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/25622"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=284511"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt"
},
{
"name": "lighttpd-modfastcgi-code-execution(36526)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36526"
},
{
"name": "3127",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/3127"
},
{
"name": "26997",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26997"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/1986"
},
{
"name": "26824",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26824"
},
{
"name": "ADV-2007-3110",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/3110"
},
{
"name": "27229",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/27229"
},
{
"name": "26794",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26794"
},
{
"name": "SUSE-SR:2007:020",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2007_20_sr.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-09-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18 allows remote attackers to overwrite arbitrary CGI variables and execute arbitrary code via an HTTP request with a long content length, as demonstrated by overwriting the SCRIPT_FILENAME variable, aka a \"header overflow.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.rpath.com/browse/RPL-1715"
},
{
"name": "20070917 FLEA-2007-0054-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/479763/100/0/threaded"
},
{
"name": "FEDORA-2007-2132",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://fedoranews.org/updates/FEDORA-2007-213.shtml"
},
{
"name": "26732",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26732"
},
{
"name": "GLSA-200709-16",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://www.gentoo.org/security/en/glsa/glsa-200709-16.xml"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/"
},
{
"name": "25622",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/25622"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=284511"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt"
},
{
"name": "lighttpd-modfastcgi-code-execution(36526)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36526"
},
{
"name": "3127",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/3127"
},
{
"name": "26997",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26997"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/1986"
},
{
"name": "26824",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26824"
},
{
"name": "ADV-2007-3110",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/3110"
},
{
"name": "27229",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/27229"
},
{
"name": "26794",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26794"
},
{
"name": "SUSE-SR:2007:020",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2007_20_sr.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-4727",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18 allows remote attackers to overwrite arbitrary CGI variables and execute arbitrary code via an HTTP request with a long content length, as demonstrated by overwriting the SCRIPT_FILENAME variable, aka a \"header overflow.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.rpath.com/browse/RPL-1715",
"refsource": "CONFIRM",
"url": "https://issues.rpath.com/browse/RPL-1715"
},
{
"name": "20070917 FLEA-2007-0054-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/479763/100/0/threaded"
},
{
"name": "FEDORA-2007-2132",
"refsource": "FEDORA",
"url": "http://fedoranews.org/updates/FEDORA-2007-213.shtml"
},
{
"name": "26732",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26732"
},
{
"name": "GLSA-200709-16",
"refsource": "GENTOO",
"url": "http://www.gentoo.org/security/en/glsa/glsa-200709-16.xml"
},
{
"name": "http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/",
"refsource": "MISC",
"url": "http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/"
},
{
"name": "25622",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/25622"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=284511",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=284511"
},
{
"name": "http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt"
},
{
"name": "lighttpd-modfastcgi-code-execution(36526)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36526"
},
{
"name": "3127",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/3127"
},
{
"name": "26997",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26997"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/1986",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/1986"
},
{
"name": "26824",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26824"
},
{
"name": "ADV-2007-3110",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/3110"
},
{
"name": "27229",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/27229"
},
{
"name": "26794",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26794"
},
{
"name": "SUSE-SR:2007:020",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2007_20_sr.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-4727",
"datePublished": "2007-09-12T19:00:00",
"dateReserved": "2007-09-05T00:00:00",
"dateUpdated": "2024-08-07T15:08:33.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-0983
Vulnerability from cvelistv5
Published
2008-02-26 18:00
Modified
2024-08-07 08:01
Severity ?
EPSS score ?
Summary
lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:01:40.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2008-0659",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0659/references"
},
{
"name": "29268",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29268"
},
{
"name": "29066",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29066"
},
{
"name": "29622",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29622"
},
{
"name": "SUSE-SR:2008:008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"name": "29209",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29209"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.rpath.com/browse/RPL-2284"
},
{
"name": "FEDORA-2008-2262",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"
},
{
"name": "GLSA-200803-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"
},
{
"name": "20080228 rPSA-2008-0084-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/488926/100/0/threaded"
},
{
"name": "DSA-1609",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1609"
},
{
"name": "29166",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29166"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0084"
},
{
"name": "FEDORA-2008-2278",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"
},
{
"name": "27943",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27943"
},
{
"name": "31104",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/31104"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/ticket/1562"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-02-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ADV-2008-0659",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0659/references"
},
{
"name": "29268",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29268"
},
{
"name": "29066",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29066"
},
{
"name": "29622",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29622"
},
{
"name": "SUSE-SR:2008:008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"name": "29209",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29209"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.rpath.com/browse/RPL-2284"
},
{
"name": "FEDORA-2008-2262",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"
},
{
"name": "GLSA-200803-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"
},
{
"name": "20080228 rPSA-2008-0084-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/488926/100/0/threaded"
},
{
"name": "DSA-1609",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1609"
},
{
"name": "29166",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29166"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0084"
},
{
"name": "FEDORA-2008-2278",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"
},
{
"name": "27943",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27943"
},
{
"name": "31104",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/31104"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/ticket/1562"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-0983",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2008-0659",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0659/references"
},
{
"name": "29268",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29268"
},
{
"name": "29066",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29066"
},
{
"name": "29622",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29622"
},
{
"name": "SUSE-SR:2008:008",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"name": "29209",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29209"
},
{
"name": "https://issues.rpath.com/browse/RPL-2284",
"refsource": "CONFIRM",
"url": "https://issues.rpath.com/browse/RPL-2284"
},
{
"name": "FEDORA-2008-2262",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"
},
{
"name": "GLSA-200803-10",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"
},
{
"name": "20080228 rPSA-2008-0084-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/488926/100/0/threaded"
},
{
"name": "DSA-1609",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1609"
},
{
"name": "29166",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29166"
},
{
"name": "http://wiki.rpath.com/Advisories:rPSA-2008-0084",
"refsource": "CONFIRM",
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0084"
},
{
"name": "FEDORA-2008-2278",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"
},
{
"name": "27943",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27943"
},
{
"name": "31104",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/31104"
},
{
"name": "http://trac.lighttpd.net/trac/ticket/1562",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/ticket/1562"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-0983",
"datePublished": "2008-02-26T18:00:00",
"dateReserved": "2008-02-26T00:00:00",
"dateUpdated": "2024-08-07T08:01:40.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-19052
Vulnerability from cvelistv5
Published
2018-11-07 05:00
Modified
2024-08-05 11:30
Severity ?
EPSS score ?
Summary
An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1 | x_refsource_MISC | |
| http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00054.html | vendor-advisory, x_refsource_SUSE | |
| https://lists.debian.org/debian-lts-announce/2022/01/msg00012.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:30:04.022Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1"
},
{
"name": "openSUSE-SU-2019:2347",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00054.html"
},
{
"name": "[debian-lts-announce] 20220118 [SECURITY] [DLA 2879-1] lighttpd security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-11-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing \u0027/\u0027 character, but the alias target filesystem path does have a trailing \u0027/\u0027 character."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-18T20:06:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1"
},
{
"name": "openSUSE-SU-2019:2347",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00054.html"
},
{
"name": "[debian-lts-announce] 20220118 [SECURITY] [DLA 2879-1] lighttpd security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00012.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-19052",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing \u0027/\u0027 character, but the alias target filesystem path does have a trailing \u0027/\u0027 character."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1",
"refsource": "MISC",
"url": "https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1"
},
{
"name": "openSUSE-SU-2019:2347",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00054.html"
},
{
"name": "[debian-lts-announce] 20220118 [SECURITY] [DLA 2879-1] lighttpd security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00012.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-19052",
"datePublished": "2018-11-07T05:00:00",
"dateReserved": "2018-11-06T00:00:00",
"dateUpdated": "2024-08-05T11:30:04.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11072
Vulnerability from cvelistv5
Published
2019-04-10 21:04
Modified
2024-08-04 22:40
Severity ?
EPSS score ?
Summary
lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit.
References
| ▼ | URL | Tags |
|---|---|---|
| https://redmine.lighttpd.net/issues/2945 | x_refsource_MISC | |
| https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/107907 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-11072",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T20:27:33.982094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T20:27:43.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:40:16.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.lighttpd.net/issues/2945"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354"
},
{
"name": "107907",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107907"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states \"The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-23T19:33:44",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.lighttpd.net/issues/2945"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354"
},
{
"name": "107907",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107907"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11072",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states \"The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://redmine.lighttpd.net/issues/2945",
"refsource": "MISC",
"url": "https://redmine.lighttpd.net/issues/2945"
},
{
"name": "https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354",
"refsource": "MISC",
"url": "https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354"
},
{
"name": "107907",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107907"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11072",
"datePublished": "2019-04-10T21:04:57",
"dateReserved": "2019-04-10T00:00:00",
"dateUpdated": "2024-08-04T22:40:16.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-1111
Vulnerability from cvelistv5
Published
2008-03-04 23:00
Modified
2024-08-07 08:08
Severity ?
EPSS score ?
Summary
mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:08:57.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "29268",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29268"
},
{
"name": "29622",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29622"
},
{
"name": "ADV-2008-0763",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0763"
},
{
"name": "29318",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29318"
},
{
"name": "SUSE-SR:2008:008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"name": "29209",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29209"
},
{
"name": "DSA-1513",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1513"
},
{
"name": "FEDORA-2008-2262",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"
},
{
"name": "28100",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28100"
},
{
"name": "20080312 rPSA-2008-0106-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"
},
{
"name": "29275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29275"
},
{
"name": "GLSA-200803-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.rpath.com/browse/RPL-2326"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=211956"
},
{
"name": "FEDORA-2008-2278",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/2107"
},
{
"name": "29235",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29235"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"
},
{
"name": "lighttpd-modcgi-information-disclosure(41008)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41008"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "29268",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29268"
},
{
"name": "29622",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29622"
},
{
"name": "ADV-2008-0763",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0763"
},
{
"name": "29318",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29318"
},
{
"name": "SUSE-SR:2008:008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"name": "29209",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29209"
},
{
"name": "DSA-1513",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1513"
},
{
"name": "FEDORA-2008-2262",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"
},
{
"name": "28100",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28100"
},
{
"name": "20080312 rPSA-2008-0106-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"
},
{
"name": "29275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29275"
},
{
"name": "GLSA-200803-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.rpath.com/browse/RPL-2326"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=211956"
},
{
"name": "FEDORA-2008-2278",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/2107"
},
{
"name": "29235",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29235"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"
},
{
"name": "lighttpd-modcgi-information-disclosure(41008)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41008"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-1111",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "29268",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29268"
},
{
"name": "29622",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29622"
},
{
"name": "ADV-2008-0763",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0763"
},
{
"name": "29318",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29318"
},
{
"name": "SUSE-SR:2008:008",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"name": "29209",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29209"
},
{
"name": "DSA-1513",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1513"
},
{
"name": "FEDORA-2008-2262",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html"
},
{
"name": "28100",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28100"
},
{
"name": "20080312 rPSA-2008-0106-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"
},
{
"name": "29275",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29275"
},
{
"name": "GLSA-200803-10",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200803-10.xml"
},
{
"name": "https://issues.rpath.com/browse/RPL-2326",
"refsource": "MISC",
"url": "https://issues.rpath.com/browse/RPL-2326"
},
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=211956",
"refsource": "CONFIRM",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=211956"
},
{
"name": "FEDORA-2008-2278",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/2107",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/2107"
},
{
"name": "29235",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29235"
},
{
"name": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106",
"refsource": "MISC",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"
},
{
"name": "lighttpd-modcgi-information-disclosure(41008)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41008"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-1111",
"datePublished": "2008-03-04T23:00:00",
"dateReserved": "2008-03-02T00:00:00",
"dateUpdated": "2024-08-07T08:08:57.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-3708
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2024-07-09T15:06:37.504Z",
"orgId": "7e9044f1-7f56-4c38-8864-c0c7302263d6",
"shortName": "AMI"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
],
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7e9044f1-7f56-4c38-8864-c0c7302263d6",
"assignerShortName": "AMI",
"cveId": "CVE-2024-3708",
"datePublished": "2024-05-23T00:11:32.655Z",
"dateRejected": "2024-07-09T15:06:37.504Z",
"dateReserved": "2024-04-12T12:26:57.356Z",
"dateUpdated": "2024-07-09T15:06:37.504Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2006-0760
Vulnerability from cvelistv5
Published
2006-02-18 02:00
Modified
2024-08-07 16:48
Severity ?
EPSS score ?
Summary
LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected capitalization, as demonstrated by a request for index.PHP when the configuration invokes the PHP interpreter only for ".php" names.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lighttpd.net/news/ | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2006/0550 | vdb-entry, x_refsource_VUPEN | |
| http://secunia.com/advisories/18869 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.lighttpd.net/news/ | x_refsource_CONFIRM | |
| http://www.osvdb.org/23229 | vdb-entry, x_refsource_OSVDB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/24699 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T16:48:55.669Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://lighttpd.net/news/"
},
{
"name": "ADV-2006-0550",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/0550"
},
{
"name": "18869",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/18869"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/news/"
},
{
"name": "23229",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/23229"
},
{
"name": "lighttpd-ext-source-disclosure(24699)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24699"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-01-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected capitalization, as demonstrated by a request for index.PHP when the configuration invokes the PHP interpreter only for \".php\" names."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-19T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://lighttpd.net/news/"
},
{
"name": "ADV-2006-0550",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/0550"
},
{
"name": "18869",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/18869"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/news/"
},
{
"name": "23229",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/23229"
},
{
"name": "lighttpd-ext-source-disclosure(24699)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24699"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-0760",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected capitalization, as demonstrated by a request for index.PHP when the configuration invokes the PHP interpreter only for \".php\" names."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lighttpd.net/news/",
"refsource": "CONFIRM",
"url": "http://lighttpd.net/news/"
},
{
"name": "ADV-2006-0550",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/0550"
},
{
"name": "18869",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/18869"
},
{
"name": "http://www.lighttpd.net/news/",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/news/"
},
{
"name": "23229",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/23229"
},
{
"name": "lighttpd-ext-source-disclosure(24699)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24699"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-0760",
"datePublished": "2006-02-18T02:00:00",
"dateReserved": "2006-02-18T00:00:00",
"dateUpdated": "2024-08-07T16:48:55.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-2324
Vulnerability from cvelistv5
Published
2014-03-14 15:00
Modified
2024-08-06 10:06
Severity ?
EPSS score ?
Summary
Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:06:00.322Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/2014/3/12/1.4.35/"
},
{
"name": "66157",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/66157"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt"
},
{
"name": "DSA-2877",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2877"
},
{
"name": "openSUSE-SU-2014:0449",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html"
},
{
"name": "57514",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57514"
},
{
"name": "HPSBGN03191",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"name": "openSUSE-SU-2014:0496",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html"
},
{
"name": "SUSE-SU-2014:0474",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html"
},
{
"name": "57404",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57404"
},
{
"name": "[oss-security] 20140312 Re: lighttpd 1.4.34 SQL injection and path traversal CVE request",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q1/564"
},
{
"name": "[oss-security] 20140312 lighttpd 1.4.34 SQL injection and path traversal CVE request",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q1/561"
},
{
"name": "JVN#37417423",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T04:06:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/2014/3/12/1.4.35/"
},
{
"name": "66157",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/66157"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt"
},
{
"name": "DSA-2877",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2877"
},
{
"name": "openSUSE-SU-2014:0449",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html"
},
{
"name": "57514",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57514"
},
{
"name": "HPSBGN03191",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"name": "openSUSE-SU-2014:0496",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html"
},
{
"name": "SUSE-SU-2014:0474",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html"
},
{
"name": "57404",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57404"
},
{
"name": "[oss-security] 20140312 Re: lighttpd 1.4.34 SQL injection and path traversal CVE request",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2014/q1/564"
},
{
"name": "[oss-security] 20140312 lighttpd 1.4.34 SQL injection and path traversal CVE request",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2014/q1/561"
},
{
"name": "JVN#37417423",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2324",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.lighttpd.net/2014/3/12/1.4.35/",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/2014/3/12/1.4.35/"
},
{
"name": "66157",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/66157"
},
{
"name": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt",
"refsource": "CONFIRM",
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt"
},
{
"name": "DSA-2877",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2877"
},
{
"name": "openSUSE-SU-2014:0449",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html"
},
{
"name": "57514",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57514"
},
{
"name": "HPSBGN03191",
"refsource": "HP",
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"name": "openSUSE-SU-2014:0496",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html"
},
{
"name": "SUSE-SU-2014:0474",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html"
},
{
"name": "57404",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57404"
},
{
"name": "[oss-security] 20140312 Re: lighttpd 1.4.34 SQL injection and path traversal CVE request",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2014/q1/564"
},
{
"name": "[oss-security] 20140312 lighttpd 1.4.34 SQL injection and path traversal CVE request",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2014/q1/561"
},
{
"name": "JVN#37417423",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2324",
"datePublished": "2014-03-14T15:00:00",
"dateReserved": "2014-03-12T00:00:00",
"dateUpdated": "2024-08-06T10:06:00.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-5533
Vulnerability from cvelistv5
Published
2012-11-24 20:00
Modified
2024-08-06 21:05
Severity ?
EPSS score ?
Summary
The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:05:47.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20121121 lighttpd 1.4.32 released, fixing CVE-2012-5533",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/21/1"
},
{
"name": "openSUSE-SU-2012:1532",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt"
},
{
"name": "22902",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/22902"
},
{
"name": "1027802",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1027802"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html"
},
{
"name": "51268",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51268"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345"
},
{
"name": "87623",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/87623"
},
{
"name": "HPSBGN03191",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"name": "MDVSA-2013:100",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:100"
},
{
"name": "lighttpd-httprequestsplitvalue-dos(80213)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80213"
},
{
"name": "51298",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51298"
},
{
"name": "openSUSE-SU-2014:0074",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00051.html"
},
{
"name": "56619",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/56619"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-11-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the \"Connection: TE,,Keep-Alive\" header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20121121 lighttpd 1.4.32 released, fixing CVE-2012-5533",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/21/1"
},
{
"name": "openSUSE-SU-2012:1532",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt"
},
{
"name": "22902",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/22902"
},
{
"name": "1027802",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1027802"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html"
},
{
"name": "51268",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51268"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345"
},
{
"name": "87623",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/87623"
},
{
"name": "HPSBGN03191",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"name": "MDVSA-2013:100",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:100"
},
{
"name": "lighttpd-httprequestsplitvalue-dos(80213)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80213"
},
{
"name": "51298",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51298"
},
{
"name": "openSUSE-SU-2014:0074",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00051.html"
},
{
"name": "56619",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/56619"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5533",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the \"Connection: TE,,Keep-Alive\" header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20121121 lighttpd 1.4.32 released, fixing CVE-2012-5533",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/11/21/1"
},
{
"name": "openSUSE-SU-2012:1532",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html"
},
{
"name": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt",
"refsource": "CONFIRM",
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt"
},
{
"name": "22902",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/22902"
},
{
"name": "1027802",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1027802"
},
{
"name": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch",
"refsource": "MISC",
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch"
},
{
"name": "http://packetstormsecurity.org/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html"
},
{
"name": "51268",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/51268"
},
{
"name": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345",
"refsource": "CONFIRM",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345"
},
{
"name": "87623",
"refsource": "OSVDB",
"url": "http://osvdb.org/87623"
},
{
"name": "HPSBGN03191",
"refsource": "HP",
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"name": "MDVSA-2013:100",
"refsource": "MANDRIVA",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:100"
},
{
"name": "lighttpd-httprequestsplitvalue-dos(80213)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80213"
},
{
"name": "51298",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/51298"
},
{
"name": "openSUSE-SU-2014:0074",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00051.html"
},
{
"name": "56619",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/56619"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5533",
"datePublished": "2012-11-24T20:00:00",
"dateReserved": "2012-10-24T00:00:00",
"dateUpdated": "2024-08-06T21:05:47.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-4508
Vulnerability from cvelistv5
Published
2013-11-08 02:00
Modified
2024-08-06 16:45
Severity ?
EPSS score ?
Summary
lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.
References
| ▼ | URL | Tags |
|---|---|---|
| http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt | x_refsource_CONFIRM | |
| http://openwall.com/lists/oss-security/2013/11/04/19 | mailing-list, x_refsource_MLIST | |
| http://marc.info/?l=bugtraq&m=141576815022399&w=2 | vendor-advisory, x_refsource_HP | |
| http://redmine.lighttpd.net/issues/2525 | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html | vendor-advisory, x_refsource_SUSE | |
| https://www.debian.org/security/2013/dsa-2795 | vendor-advisory, x_refsource_DEBIAN | |
| http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913/diff/ | x_refsource_CONFIRM | |
| http://jvn.jp/en/jp/JVN37417423/index.html | third-party-advisory, x_refsource_JVN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:15.220Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt"
},
{
"name": "[oss-security] 20131104 Re: CVE Request: lighttpd using vulnerable cipher suites with SNI",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2013/11/04/19"
},
{
"name": "HPSBGN03191",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://redmine.lighttpd.net/issues/2525"
},
{
"name": "openSUSE-SU-2014:0072",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
},
{
"name": "DSA-2795",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2013/dsa-2795"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913/diff/"
},
{
"name": "JVN#37417423",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-11-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T04:06:11",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt"
},
{
"name": "[oss-security] 20131104 Re: CVE Request: lighttpd using vulnerable cipher suites with SNI",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2013/11/04/19"
},
{
"name": "HPSBGN03191",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://redmine.lighttpd.net/issues/2525"
},
{
"name": "openSUSE-SU-2014:0072",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
},
{
"name": "DSA-2795",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2013/dsa-2795"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913/diff/"
},
{
"name": "JVN#37417423",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4508",
"datePublished": "2013-11-08T02:00:00",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:45:15.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-1427
Vulnerability from cvelistv5
Published
2013-03-21 17:00
Modified
2024-08-06 15:04
Severity ?
EPSS score ?
Summary
The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition.
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/91462 | vdb-entry, x_refsource_OSVDB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/82897 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/58528 | vdb-entry, x_refsource_BID | |
| http://www.debian.org/security/2013/dsa-2649 | vendor-advisory, x_refsource_DEBIAN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:04:48.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "91462",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/91462"
},
{
"name": "lighttpd-cve20131427-symlink(82897)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82897"
},
{
"name": "58528",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/58528"
},
{
"name": "DSA-2649",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2013/dsa-2649"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-03-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "91462",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/91462"
},
{
"name": "lighttpd-cve20131427-symlink(82897)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82897"
},
{
"name": "58528",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/58528"
},
{
"name": "DSA-2649",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2013/dsa-2649"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2013-1427",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "91462",
"refsource": "OSVDB",
"url": "http://osvdb.org/91462"
},
{
"name": "lighttpd-cve20131427-symlink(82897)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82897"
},
{
"name": "58528",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/58528"
},
{
"name": "DSA-2649",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2013/dsa-2649"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2013-1427",
"datePublished": "2013-03-21T17:00:00",
"dateReserved": "2013-01-26T00:00:00",
"dateUpdated": "2024-08-06T15:04:48.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-4298
Vulnerability from cvelistv5
Published
2008-09-27 00:00
Modified
2024-08-07 10:08
Severity ?
EPSS score ?
Summary
Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:08:34.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "32069",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32069"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=238180"
},
{
"name": "32972",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32972"
},
{
"name": "[oss-security] 20080926 CVE Request (lighttpd)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/26/5"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/2305"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"name": "lighttpd-httprequestparse-dos(45471)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45471"
},
{
"name": "32834",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32834"
},
{
"name": "31434",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31434"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"name": "32132",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32132"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt"
},
{
"name": "20081030 rPSA-2008-0309-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"name": "ADV-2008-2741",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"name": "DSA-1645",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"name": "32480",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32480"
},
{
"name": "SUSE-SR:2008:026",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/ticket/1774"
},
{
"name": "GLSA-200812-04",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-09-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "32069",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32069"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=238180"
},
{
"name": "32972",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32972"
},
{
"name": "[oss-security] 20080926 CVE Request (lighttpd)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/26/5"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/2305"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"name": "lighttpd-httprequestparse-dos(45471)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45471"
},
{
"name": "32834",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32834"
},
{
"name": "31434",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31434"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"name": "32132",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32132"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt"
},
{
"name": "20081030 rPSA-2008-0309-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"name": "ADV-2008-2741",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"name": "DSA-1645",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"name": "32480",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32480"
},
{
"name": "SUSE-SR:2008:026",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/ticket/1774"
},
{
"name": "GLSA-200812-04",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-4298",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "32069",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32069"
},
{
"name": "http://bugs.gentoo.org/show_bug.cgi?id=238180",
"refsource": "CONFIRM",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=238180"
},
{
"name": "32972",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32972"
},
{
"name": "[oss-security] 20080926 CVE Request (lighttpd)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/09/26/5"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/2305",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/2305"
},
{
"name": "http://wiki.rpath.com/Advisories:rPSA-2008-0309",
"refsource": "CONFIRM",
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"name": "lighttpd-httprequestparse-dos(45471)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45471"
},
{
"name": "32834",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32834"
},
{
"name": "31434",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31434"
},
{
"name": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309",
"refsource": "CONFIRM",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"name": "32132",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32132"
},
{
"name": "http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt"
},
{
"name": "20081030 rPSA-2008-0309-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"name": "ADV-2008-2741",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"name": "DSA-1645",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"name": "32480",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32480"
},
{
"name": "SUSE-SR:2008:026",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"name": "http://trac.lighttpd.net/trac/ticket/1774",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/ticket/1774"
},
{
"name": "GLSA-200812-04",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-4298",
"datePublished": "2008-09-27T00:00:00",
"dateReserved": "2008-09-26T00:00:00",
"dateUpdated": "2024-08-07T10:08:34.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-37797
Vulnerability from cvelistv5
Published
2022-09-12 00:00
Modified
2024-08-03 10:37
Severity ?
EPSS score ?
Summary
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.
References
| ▼ | URL | Tags |
|---|---|---|
| https://redmine.lighttpd.net/issues/3165 | ||
| https://www.debian.org/security/2022/dsa-5243 | vendor-advisory | |
| https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html | mailing-list | |
| https://security.gentoo.org/glsa/202210-12 | vendor-advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:37:41.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://redmine.lighttpd.net/issues/3165"
},
{
"name": "DSA-5243",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5243"
},
{
"name": "[debian-lts-announce] 20221003 [SECURITY] [DLA 3133-1] lighttpd security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html"
},
{
"name": "GLSA-202210-12",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://redmine.lighttpd.net/issues/3165"
},
{
"name": "DSA-5243",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5243"
},
{
"name": "[debian-lts-announce] 20221003 [SECURITY] [DLA 3133-1] lighttpd security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html"
},
{
"name": "GLSA-202210-12",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-12"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37797",
"datePublished": "2022-09-12T00:00:00",
"dateReserved": "2022-08-08T00:00:00",
"dateUpdated": "2024-08-03T10:37:41.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-1869
Vulnerability from cvelistv5
Published
2007-04-18 02:20
Modified
2024-08-07 13:13
Severity ?
EPSS score ?
Summary
lighttpd 1.4.12 and 1.4.13 allows remote attackers to cause a denial of service (cpu and resource consumption) by disconnecting while lighttpd is parsing CRLF sequences, which triggers an infinite loop and file descriptor consumption.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T13:13:41.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "25613",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/25613"
},
{
"name": "GLSA-200705-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200705-07.xml"
},
{
"name": "ADV-2007-1399",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/1399"
},
{
"name": "24947",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/24947"
},
{
"name": "SUSE-SR:2007:007",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2007_007_suse.html"
},
{
"name": "lighttpd-rnrn-dos(33671)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33671"
},
{
"name": "24995",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/24995"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.rpath.com/browse/RPL-1218"
},
{
"name": "DSA-1303",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2007/dsa-1303"
},
{
"name": "23515",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/23515"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_01.txt"
},
{
"name": "20070420 FLEA-2007-0011-1: lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/466464/30/6900/threaded"
},
{
"name": "25166",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/25166"
},
{
"name": "24886",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/24886"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-04-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "lighttpd 1.4.12 and 1.4.13 allows remote attackers to cause a denial of service (cpu and resource consumption) by disconnecting while lighttpd is parsing CRLF sequences, which triggers an infinite loop and file descriptor consumption."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "25613",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/25613"
},
{
"name": "GLSA-200705-07",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200705-07.xml"
},
{
"name": "ADV-2007-1399",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/1399"
},
{
"name": "24947",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/24947"
},
{
"name": "SUSE-SR:2007:007",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2007_007_suse.html"
},
{
"name": "lighttpd-rnrn-dos(33671)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33671"
},
{
"name": "24995",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/24995"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.rpath.com/browse/RPL-1218"
},
{
"name": "DSA-1303",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2007/dsa-1303"
},
{
"name": "23515",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/23515"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_01.txt"
},
{
"name": "20070420 FLEA-2007-0011-1: lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/466464/30/6900/threaded"
},
{
"name": "25166",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/25166"
},
{
"name": "24886",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/24886"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-1869",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lighttpd 1.4.12 and 1.4.13 allows remote attackers to cause a denial of service (cpu and resource consumption) by disconnecting while lighttpd is parsing CRLF sequences, which triggers an infinite loop and file descriptor consumption."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "25613",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/25613"
},
{
"name": "GLSA-200705-07",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200705-07.xml"
},
{
"name": "ADV-2007-1399",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/1399"
},
{
"name": "24947",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/24947"
},
{
"name": "SUSE-SR:2007:007",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2007_007_suse.html"
},
{
"name": "lighttpd-rnrn-dos(33671)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33671"
},
{
"name": "24995",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/24995"
},
{
"name": "https://issues.rpath.com/browse/RPL-1218",
"refsource": "CONFIRM",
"url": "https://issues.rpath.com/browse/RPL-1218"
},
{
"name": "DSA-1303",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2007/dsa-1303"
},
{
"name": "23515",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/23515"
},
{
"name": "http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_01.txt",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_01.txt"
},
{
"name": "20070420 FLEA-2007-0011-1: lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/466464/30/6900/threaded"
},
{
"name": "25166",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/25166"
},
{
"name": "24886",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/24886"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-1869",
"datePublished": "2007-04-18T02:20:00",
"dateReserved": "2007-04-05T00:00:00",
"dateUpdated": "2024-08-07T13:13:41.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-3950
Vulnerability from cvelistv5
Published
2007-07-24 00:00
Modified
2024-08-07 14:37
Severity ?
EPSS score ?
Summary
lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:37:05.373Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "2909",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/2909"
},
{
"name": "26158",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26158"
},
{
"name": "ADV-2007-2585",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "26130",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26130"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/1882"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "26593",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26593"
},
{
"name": "DSA-1362",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"name": "GLSA-200708-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/ticket/1263"
},
{
"name": "SUSE-SR:2007:015",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "26505",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26505"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-07-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "2909",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/2909"
},
{
"name": "26158",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26158"
},
{
"name": "ADV-2007-2585",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "26130",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26130"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://trac.lighttpd.net/trac/changeset/1882"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "26593",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26593"
},
{
"name": "DSA-1362",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"name": "GLSA-200708-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/ticket/1263"
},
{
"name": "SUSE-SR:2007:015",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "26505",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26505"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3950",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "2909",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/2909"
},
{
"name": "26158",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26158"
},
{
"name": "ADV-2007-2585",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "26130",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26130"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/1882",
"refsource": "MISC",
"url": "http://trac.lighttpd.net/trac/changeset/1882"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "26593",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26593"
},
{
"name": "DSA-1362",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"name": "GLSA-200708-11",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"name": "http://trac.lighttpd.net/trac/ticket/1263",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/ticket/1263"
},
{
"name": "SUSE-SR:2007:015",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "26505",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26505"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3950",
"datePublished": "2007-07-24T00:00:00",
"dateReserved": "2007-07-23T00:00:00",
"dateUpdated": "2024-08-07T14:37:05.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-0295
Vulnerability from cvelistv5
Published
2010-02-03 19:00
Modified
2024-08-07 00:45
Severity ?
EPSS score ?
Summary
lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:45:11.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "38403",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/38403"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711"
},
{
"name": "ADV-2011-0172",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0172"
},
{
"name": "39765",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/39765"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://redmine.lighttpd.net/issues/2147"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt"
},
{
"name": "FEDORA-2010-7643",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041307.html"
},
{
"name": "lighttpd-slow-request-dos(56038)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56038"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blogs.sun.com/security/entry/cve_2010_0295_vulnerability_in"
},
{
"name": "FEDORA-2010-7636",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041264.html"
},
{
"name": "DSA-1987",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2010/dsa-1987"
},
{
"name": "SUSE-SR:2010:003",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00003.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.x_fix_slow_request_dos.patch"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710"
},
{
"name": "38036",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/38036"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.5_fix_slow_request_dos.patch"
},
{
"name": "[oss-security] 20100202 lighttpd: slow request dos/oom attack [CVE-2010-0295]",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/02/01/8"
},
{
"name": "FEDORA-2010-7611",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041296.html"
},
{
"name": "GLSA-201006-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-201006-17.xml"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "38403",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/38403"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711"
},
{
"name": "ADV-2011-0172",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2011/0172"
},
{
"name": "39765",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/39765"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://redmine.lighttpd.net/issues/2147"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt"
},
{
"name": "FEDORA-2010-7643",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041307.html"
},
{
"name": "lighttpd-slow-request-dos(56038)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56038"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blogs.sun.com/security/entry/cve_2010_0295_vulnerability_in"
},
{
"name": "FEDORA-2010-7636",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041264.html"
},
{
"name": "DSA-1987",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2010/dsa-1987"
},
{
"name": "SUSE-SR:2010:003",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00003.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.x_fix_slow_request_dos.patch"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710"
},
{
"name": "38036",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/38036"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd-1.5_fix_slow_request_dos.patch"
},
{
"name": "[oss-security] 20100202 lighttpd: slow request dos/oom attack [CVE-2010-0295]",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/02/01/8"
},
{
"name": "FEDORA-2010-7611",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041296.html"
},
{
"name": "GLSA-201006-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-201006-17.xml"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-0295",
"datePublished": "2010-02-03T19:00:00",
"dateReserved": "2010-01-12T00:00:00",
"dateUpdated": "2024-08-07T00:45:11.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-4362
Vulnerability from cvelistv5
Published
2011-12-24 19:00
Modified
2024-08-07 00:09
Severity ?
EPSS score ?
Summary
Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:09:18.360Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "47260",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/47260"
},
{
"name": "20111224 Lighttpd Proof of Concept code for CVE-2011-4362",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0167.html"
},
{
"name": "[oss-security] 20111129 CVE Request: lighttpd/mod_auth out-of-bounds read due to signedness error",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/11/29/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=758624"
},
{
"name": "DSA-2368",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2011/dsa-2368"
},
{
"name": "18295",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/18295"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.pi3.com.pl/?p=277"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt"
},
{
"name": "[oss-security] 20111129 Re: CVE Request: lighttpd/mod_auth out-of-bounds read due to signedness error",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/11/29/13"
},
{
"name": "1026359",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1026359"
},
{
"name": "lighttpd-base64-dos(71536)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71536"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://redmine.lighttpd.net/issues/2370"
},
{
"name": "JVN#37417423",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-11-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T04:06:08",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "47260",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/47260"
},
{
"name": "20111224 Lighttpd Proof of Concept code for CVE-2011-4362",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0167.html"
},
{
"name": "[oss-security] 20111129 CVE Request: lighttpd/mod_auth out-of-bounds read due to signedness error",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/11/29/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=758624"
},
{
"name": "DSA-2368",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2011/dsa-2368"
},
{
"name": "18295",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/18295"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.pi3.com.pl/?p=277"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt"
},
{
"name": "[oss-security] 20111129 Re: CVE Request: lighttpd/mod_auth out-of-bounds read due to signedness error",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/11/29/13"
},
{
"name": "1026359",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1026359"
},
{
"name": "lighttpd-base64-dos(71536)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71536"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://redmine.lighttpd.net/issues/2370"
},
{
"name": "JVN#37417423",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-4362",
"datePublished": "2011-12-24T19:00:00",
"dateReserved": "2011-11-04T00:00:00",
"dateUpdated": "2024-08-07T00:09:18.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-41556
Vulnerability from cvelistv5
Published
2022-10-06 00:00
Modified
2024-08-03 12:42
Severity ?
EPSS score ?
Summary
A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:42:46.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/lighttpd/lighttpd1.4/pull/115"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/lighttpd/lighttpd1.4/compare/lighttpd-1.4.66...lighttpd-1.4.67"
},
{
"name": "FEDORA-2022-c26b19568d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/"
},
{
"name": "GLSA-202210-12",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50"
},
{
"url": "https://github.com/lighttpd/lighttpd1.4/pull/115"
},
{
"url": "https://github.com/lighttpd/lighttpd1.4/compare/lighttpd-1.4.66...lighttpd-1.4.67"
},
{
"name": "FEDORA-2022-c26b19568d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/"
},
{
"name": "GLSA-202210-12",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-12"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-41556",
"datePublished": "2022-10-06T00:00:00",
"dateReserved": "2022-09-26T00:00:00",
"dateUpdated": "2024-08-03T12:42:46.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-30780
Vulnerability from cvelistv5
Published
2022-06-11 14:40
Modified
2024-08-03 06:56
Severity ?
EPSS score ?
Summary
Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/lighttpd/lighttpd1.4 | x_refsource_MISC | |
| https://redmine.lighttpd.net/issues/3059 | x_refsource_MISC | |
| https://podalirius.net/en/cves/2022-30780/ | x_refsource_MISC | |
| https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:56:14.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lighttpd/lighttpd1.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redmine.lighttpd.net/issues/3059"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://podalirius.net/en/cves/2022-30780/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-11T14:40:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lighttpd/lighttpd1.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.lighttpd.net/issues/3059"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://podalirius.net/en/cves/2022-30780/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-30780",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/lighttpd/lighttpd1.4",
"refsource": "MISC",
"url": "https://github.com/lighttpd/lighttpd1.4"
},
{
"name": "https://redmine.lighttpd.net/issues/3059",
"refsource": "MISC",
"url": "https://redmine.lighttpd.net/issues/3059"
},
{
"name": "https://podalirius.net/en/cves/2022-30780/",
"refsource": "MISC",
"url": "https://podalirius.net/en/cves/2022-30780/"
},
{
"name": "https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service",
"refsource": "MISC",
"url": "https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-30780",
"datePublished": "2022-06-11T14:40:53",
"dateReserved": "2022-05-16T00:00:00",
"dateUpdated": "2024-08-03T06:56:14.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-4559
Vulnerability from cvelistv5
Published
2013-11-19 19:00
Modified
2024-08-06 16:45
Severity ?
EPSS score ?
Summary
lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/55682 | third-party-advisory, x_refsource_SECUNIA | |
| http://marc.info/?l=bugtraq&m=141576815022399&w=2 | vendor-advisory, x_refsource_HP | |
| http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html | vendor-advisory, x_refsource_SUSE | |
| https://www.debian.org/security/2013/dsa-2795 | vendor-advisory, x_refsource_DEBIAN | |
| http://www.openwall.com/lists/oss-security/2013/11/12/4 | mailing-list, x_refsource_MLIST | |
| https://kc.mcafee.com/corporate/index?page=content&id=SB10310 | x_refsource_CONFIRM | |
| http://jvn.jp/en/jp/JVN37417423/index.html | third-party-advisory, x_refsource_JVN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "55682",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55682"
},
{
"name": "HPSBGN03191",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt"
},
{
"name": "openSUSE-SU-2014:0072",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
},
{
"name": "DSA-2795",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2013/dsa-2795"
},
{
"name": "[oss-security] 20131112 Re: CVE Request: lighttpd multiple issues (setuid/... unchecked return value, FAM: read after free)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/11/12/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10310"
},
{
"name": "JVN#37417423",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-11-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T04:06:13",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "55682",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55682"
},
{
"name": "HPSBGN03191",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt"
},
{
"name": "openSUSE-SU-2014:0072",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
},
{
"name": "DSA-2795",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2013/dsa-2795"
},
{
"name": "[oss-security] 20131112 Re: CVE Request: lighttpd multiple issues (setuid/... unchecked return value, FAM: read after free)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/11/12/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10310"
},
{
"name": "JVN#37417423",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4559",
"datePublished": "2013-11-19T19:00:00",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:45:14.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-3949
Vulnerability from cvelistv5
Published
2007-07-24 00:00
Modified
2024-08-07 14:37
Severity ?
EPSS score ?
Summary
mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:37:05.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it"
},
{
"name": "38311",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/38311"
},
{
"name": "26158",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26158"
},
{
"name": "ADV-2007-2585",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "26130",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26130"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "26593",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26593"
},
{
"name": "DSA-1362",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"name": "GLSA-200708-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/1871"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/ticket/1230"
},
{
"name": "SUSE-SR:2007:015",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "26505",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26505"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-06-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it"
},
{
"name": "38311",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/38311"
},
{
"name": "26158",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26158"
},
{
"name": "ADV-2007-2585",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "26130",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26130"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "26593",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26593"
},
{
"name": "DSA-1362",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"name": "GLSA-200708-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://trac.lighttpd.net/trac/changeset/1871"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/ticket/1230"
},
{
"name": "SUSE-SR:2007:015",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "26505",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26505"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3949",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it"
},
{
"name": "38311",
"refsource": "OSVDB",
"url": "http://osvdb.org/38311"
},
{
"name": "26158",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26158"
},
{
"name": "ADV-2007-2585",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "26130",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26130"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "26593",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26593"
},
{
"name": "DSA-1362",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2007/dsa-1362"
},
{
"name": "GLSA-200708-11",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/1871",
"refsource": "MISC",
"url": "http://trac.lighttpd.net/trac/changeset/1871"
},
{
"name": "http://trac.lighttpd.net/trac/ticket/1230",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/ticket/1230"
},
{
"name": "SUSE-SR:2007:015",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "26505",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26505"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3949",
"datePublished": "2007-07-24T00:00:00",
"dateReserved": "2007-07-23T00:00:00",
"dateUpdated": "2024-08-07T14:37:05.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-4560
Vulnerability from cvelistv5
Published
2013-11-19 19:00
Modified
2024-08-06 16:45
Severity ?
EPSS score ?
Summary
Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/55682 | third-party-advisory, x_refsource_SECUNIA | |
| http://marc.info/?l=bugtraq&m=141576815022399&w=2 | vendor-advisory, x_refsource_HP | |
| http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html | vendor-advisory, x_refsource_SUSE | |
| https://www.debian.org/security/2013/dsa-2795 | vendor-advisory, x_refsource_DEBIAN | |
| http://www.openwall.com/lists/oss-security/2013/11/12/4 | mailing-list, x_refsource_MLIST | |
| http://jvn.jp/en/jp/JVN37417423/index.html | third-party-advisory, x_refsource_JVN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.824Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "55682",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55682"
},
{
"name": "HPSBGN03191",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt"
},
{
"name": "openSUSE-SU-2014:0072",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
},
{
"name": "DSA-2795",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2013/dsa-2795"
},
{
"name": "[oss-security] 20131112 Re: CVE Request: lighttpd multiple issues (setuid/... unchecked return value, FAM: read after free)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/11/12/4"
},
{
"name": "JVN#37417423",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-11-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T04:06:12",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "55682",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55682"
},
{
"name": "HPSBGN03191",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt"
},
{
"name": "openSUSE-SU-2014:0072",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
},
{
"name": "DSA-2795",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2013/dsa-2795"
},
{
"name": "[oss-security] 20131112 Re: CVE Request: lighttpd multiple issues (setuid/... unchecked return value, FAM: read after free)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/11/12/4"
},
{
"name": "JVN#37417423",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN37417423/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4560",
"datePublished": "2013-11-19T19:00:00",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:45:14.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2005-0453
Vulnerability from cvelistv5
Published
2005-02-16 05:00
Modified
2024-08-07 21:13
Severity ?
EPSS score ?
Summary
The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension.
References
| ▼ | URL | Tags |
|---|---|---|
| http://security.gentoo.org/glsa/glsa-200502-21.xml | vendor-advisory, x_refsource_GENTOO | |
| http://secunia.com/advisories/14297 | third-party-advisory, x_refsource_SECUNIA | |
| http://article.gmane.org/gmane.comp.web.lighttpd/1171 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T21:13:54.155Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GLSA-200502-21",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200502-21.xml"
},
{
"name": "14297",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/14297"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://article.gmane.org/gmane.comp.web.lighttpd/1171"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-15T16:38:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "GLSA-200502-21",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200502-21.xml"
},
{
"name": "14297",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/14297"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://article.gmane.org/gmane.comp.web.lighttpd/1171"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-0453",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-200502-21",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200502-21.xml"
},
{
"name": "14297",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/14297"
},
{
"name": "http://article.gmane.org/gmane.comp.web.lighttpd/1171",
"refsource": "CONFIRM",
"url": "http://article.gmane.org/gmane.comp.web.lighttpd/1171"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-0453",
"datePublished": "2005-02-16T05:00:00",
"dateReserved": "2005-02-16T00:00:00",
"dateUpdated": "2024-08-07T21:13:54.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-1270
Vulnerability from cvelistv5
Published
2008-03-10 21:00
Modified
2024-08-07 08:17
Severity ?
EPSS score ?
Summary
mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:17:34.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.rpath.com/browse/RPL-2344"
},
{
"name": "29622",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29622"
},
{
"name": "29318",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29318"
},
{
"name": "SUSE-SR:2008:008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"name": "GLSA-200804-08",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200804-08.xml"
},
{
"name": "DSA-1521",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1521"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_03.txt"
},
{
"name": "20080312 rPSA-2008-0106-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"
},
{
"name": "29636",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29636"
},
{
"name": "ADV-2008-0885",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0885/references"
},
{
"name": "28226",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28226"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/ticket/1587"
},
{
"name": "29403",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29403"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=212930"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"
},
{
"name": "lighttpd-moduserdir-information-disclosure(41173)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41173"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-03-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.rpath.com/browse/RPL-2344"
},
{
"name": "29622",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29622"
},
{
"name": "29318",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29318"
},
{
"name": "SUSE-SR:2008:008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"name": "GLSA-200804-08",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200804-08.xml"
},
{
"name": "DSA-1521",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1521"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_03.txt"
},
{
"name": "20080312 rPSA-2008-0106-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"
},
{
"name": "29636",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29636"
},
{
"name": "ADV-2008-0885",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0885/references"
},
{
"name": "28226",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28226"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/ticket/1587"
},
{
"name": "29403",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29403"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=212930"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"
},
{
"name": "lighttpd-moduserdir-information-disclosure(41173)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41173"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-1270",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.rpath.com/browse/RPL-2344",
"refsource": "CONFIRM",
"url": "https://issues.rpath.com/browse/RPL-2344"
},
{
"name": "29622",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29622"
},
{
"name": "29318",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29318"
},
{
"name": "SUSE-SR:2008:008",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html"
},
{
"name": "GLSA-200804-08",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200804-08.xml"
},
{
"name": "DSA-1521",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1521"
},
{
"name": "http://www.lighttpd.net/security/lighttpd_sa_2008_03.txt",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_03.txt"
},
{
"name": "20080312 rPSA-2008-0106-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/489465/100/0/threaded"
},
{
"name": "29636",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29636"
},
{
"name": "ADV-2008-0885",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0885/references"
},
{
"name": "28226",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28226"
},
{
"name": "http://trac.lighttpd.net/trac/ticket/1587",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/ticket/1587"
},
{
"name": "29403",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29403"
},
{
"name": "http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany"
},
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=212930",
"refsource": "CONFIRM",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=212930"
},
{
"name": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106",
"refsource": "MISC",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106"
},
{
"name": "lighttpd-moduserdir-information-disclosure(41173)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41173"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-1270",
"datePublished": "2008-03-10T21:00:00",
"dateReserved": "2008-03-10T00:00:00",
"dateUpdated": "2024-08-07T08:17:34.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-4359
Vulnerability from cvelistv5
Published
2008-10-03 17:18
Modified
2024-08-07 10:17
Severity ?
EPSS score ?
Summary
lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:17:08.779Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "32069",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32069"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/2307"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt"
},
{
"name": "32972",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32972"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/2278"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"name": "31599",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31599"
},
{
"name": "32834",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32834"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/ticket/1720"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/2309"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"name": "32132",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32132"
},
{
"name": "[oss-security] 20080930 Re: CVE request: lighttpd issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/1"
},
{
"name": "20081030 rPSA-2008-0309-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/2310"
},
{
"name": "ADV-2008-2741",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"name": "DSA-1645",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"name": "[oss-security] 20080930 Re: Re: CVE request: lighttpd issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/3"
},
{
"name": "lighttpd-urlredirect-rewrite-info-disclosure(45690)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45690"
},
{
"name": "[oss-security] 20080930 Re: CVE request: lighttpd issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/2"
},
{
"name": "32480",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32480"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch"
},
{
"name": "SUSE-SR:2008:026",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"name": "GLSA-200812-04",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-09-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "32069",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32069"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/2307"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt"
},
{
"name": "32972",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32972"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/2278"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"name": "31599",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31599"
},
{
"name": "32834",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32834"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/ticket/1720"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/2309"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"name": "32132",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32132"
},
{
"name": "[oss-security] 20080930 Re: CVE request: lighttpd issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/1"
},
{
"name": "20081030 rPSA-2008-0309-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/changeset/2310"
},
{
"name": "ADV-2008-2741",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"name": "DSA-1645",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"name": "[oss-security] 20080930 Re: Re: CVE request: lighttpd issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/3"
},
{
"name": "lighttpd-urlredirect-rewrite-info-disclosure(45690)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45690"
},
{
"name": "[oss-security] 20080930 Re: CVE request: lighttpd issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2008/09/30/2"
},
{
"name": "32480",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32480"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch"
},
{
"name": "SUSE-SR:2008:026",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"name": "GLSA-200812-04",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-4359",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "32069",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32069"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/2307",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/2307"
},
{
"name": "http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt"
},
{
"name": "32972",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32972"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/2278",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/2278"
},
{
"name": "http://wiki.rpath.com/Advisories:rPSA-2008-0309",
"refsource": "CONFIRM",
"url": "http://wiki.rpath.com/Advisories:rPSA-2008-0309"
},
{
"name": "31599",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31599"
},
{
"name": "32834",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32834"
},
{
"name": "http://trac.lighttpd.net/trac/ticket/1720",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/ticket/1720"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/2309",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/2309"
},
{
"name": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309",
"refsource": "CONFIRM",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309"
},
{
"name": "32132",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32132"
},
{
"name": "[oss-security] 20080930 Re: CVE request: lighttpd issues",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2008/09/30/1"
},
{
"name": "20081030 rPSA-2008-0309-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/497932/100/0/threaded"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/2310",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/changeset/2310"
},
{
"name": "ADV-2008-2741",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/2741"
},
{
"name": "DSA-1645",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1645"
},
{
"name": "[oss-security] 20080930 Re: Re: CVE request: lighttpd issues",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2008/09/30/3"
},
{
"name": "lighttpd-urlredirect-rewrite-info-disclosure(45690)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45690"
},
{
"name": "[oss-security] 20080930 Re: CVE request: lighttpd issues",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2008/09/30/2"
},
{
"name": "32480",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32480"
},
{
"name": "http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch",
"refsource": "CONFIRM",
"url": "http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch"
},
{
"name": "SUSE-SR:2008:026",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"name": "GLSA-200812-04",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200812-04.xml"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-4359",
"datePublished": "2008-10-03T17:18:00",
"dateReserved": "2008-09-30T00:00:00",
"dateUpdated": "2024-08-07T10:17:08.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-3948
Vulnerability from cvelistv5
Published
2007-07-24 00:00
Modified
2024-08-07 14:37
Severity ?
EPSS score ?
Summary
connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/26158 | third-party-advisory, x_refsource_SECUNIA | |
| http://trac.lighttpd.net/trac/changeset/1873 | x_refsource_MISC | |
| http://www.vupen.com/english/advisories/2007/2585 | vdb-entry, x_refsource_VUPEN | |
| http://secunia.com/advisories/26130 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.debian.org/security/2008/dsa-1609 | vendor-advisory, x_refsource_DEBIAN | |
| http://www.securityfocus.com/archive/1/474131/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/24967 | vdb-entry, x_refsource_BID | |
| http://security.gentoo.org/glsa/glsa-200708-11.xml | vendor-advisory, x_refsource_GENTOO | |
| http://secunia.com/advisories/31104 | third-party-advisory, x_refsource_SECUNIA | |
| http://trac.lighttpd.net/trac/ticket/1216 | x_refsource_CONFIRM | |
| http://www.novell.com/linux/security/advisories/2007_15_sr.html | vendor-advisory, x_refsource_SUSE | |
| http://secunia.com/advisories/26505 | third-party-advisory, x_refsource_SECUNIA | |
| http://osvdb.org/38312 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:37:05.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "26158",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26158"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/changeset/1873"
},
{
"name": "ADV-2007-2585",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "26130",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26130"
},
{
"name": "DSA-1609",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1609"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "GLSA-200708-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"name": "31104",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/31104"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.lighttpd.net/trac/ticket/1216"
},
{
"name": "SUSE-SR:2007:015",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "26505",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26505"
},
{
"name": "38312",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/38312"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-06-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "26158",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26158"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://trac.lighttpd.net/trac/changeset/1873"
},
{
"name": "ADV-2007-2585",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "26130",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26130"
},
{
"name": "DSA-1609",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1609"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "GLSA-200708-11",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"name": "31104",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/31104"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.lighttpd.net/trac/ticket/1216"
},
{
"name": "SUSE-SR:2007:015",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "26505",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26505"
},
{
"name": "38312",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/38312"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-3948",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "26158",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26158"
},
{
"name": "http://trac.lighttpd.net/trac/changeset/1873",
"refsource": "MISC",
"url": "http://trac.lighttpd.net/trac/changeset/1873"
},
{
"name": "ADV-2007-2585",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/2585"
},
{
"name": "26130",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26130"
},
{
"name": "DSA-1609",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1609"
},
{
"name": "20070719 rPSA-2007-0145-1 lighttpd",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/474131/100/0/threaded"
},
{
"name": "24967",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/24967"
},
{
"name": "GLSA-200708-11",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200708-11.xml"
},
{
"name": "31104",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/31104"
},
{
"name": "http://trac.lighttpd.net/trac/ticket/1216",
"refsource": "CONFIRM",
"url": "http://trac.lighttpd.net/trac/ticket/1216"
},
{
"name": "SUSE-SR:2007:015",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"name": "26505",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26505"
},
{
"name": "38312",
"refsource": "OSVDB",
"url": "http://osvdb.org/38312"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-3948",
"datePublished": "2007-07-24T00:00:00",
"dateReserved": "2007-07-23T00:00:00",
"dateUpdated": "2024-08-07T14:37:05.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
var-201904-0995
Vulnerability from variot
lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit. ** Unsettled ** This case has not been confirmed as a vulnerability. lighttpd Contains an integer overflow vulnerability. The vendor has disputed this vulnerability. For details, see NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2019-11072Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lighttpd is an open source web server for German JanKneschke software developers. An input validation error vulnerability exists in versions prior to lighttpd 1.4.54. The vulnerability stems from a network system or product that does not properly validate the input data. An attacker exploited the vulnerability to cause a denial of service or code execution vulnerability. lighttpd is prone to an integer overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. An attacker can exploit this issue to crash the affected application, resulting in denial-of-service conditions. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201904-0995",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "lighttpd",
"scope": "lte",
"trust": 1.0,
"vendor": "lighttpd",
"version": "1.4.53"
},
{
"model": "lighttpd",
"scope": "lt",
"trust": 0.8,
"vendor": "lighttpd",
"version": "1.4.54"
},
{
"model": "kneschke lighttpd",
"scope": "lt",
"trust": 0.6,
"vendor": "jan",
"version": "1.4.54"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.5"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.32"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.31"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.30"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.26"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.25"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.24"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.23"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.20"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.19"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.18"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.17"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.16"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.15"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.14"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.13"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.12"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.11"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.10"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.9"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.8"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.7"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.6"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.5"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.4"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.3"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.2"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.1"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.3.10"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.3.8"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.3.7"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.35"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.34"
},
{
"model": "lighttpd",
"scope": "eq",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.33"
},
{
"model": "lighttpd",
"scope": "ne",
"trust": 0.3,
"vendor": "lighttpd",
"version": "1.4.54"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-13852"
},
{
"db": "BID",
"id": "107907"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003364"
},
{
"db": "NVD",
"id": "CVE-2019-11072"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.4.53",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-11072"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Stephan Zeisberg",
"sources": [
{
"db": "BID",
"id": "107907"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-539"
}
],
"trust": 0.9
},
"cve": "CVE-2019-11072",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2019-11072",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2019-13852",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-11072",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-11072",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2019-13852",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201904-539",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2019-11072",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-13852"
},
{
"db": "VULMON",
"id": "CVE-2019-11072"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003364"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-539"
},
{
"db": "NVD",
"id": "CVE-2019-11072"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states \"The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit. ** Unsettled ** This case has not been confirmed as a vulnerability. lighttpd Contains an integer overflow vulnerability. The vendor has disputed this vulnerability. For details, see NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2019-11072Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lighttpd is an open source web server for German JanKneschke software developers. An input validation error vulnerability exists in versions prior to lighttpd 1.4.54. The vulnerability stems from a network system or product that does not properly validate the input data. An attacker exploited the vulnerability to cause a denial of service or code execution vulnerability. lighttpd is prone to an integer overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. \nAn attacker can exploit this issue to crash the affected application, resulting in denial-of-service conditions. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-11072"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003364"
},
{
"db": "CNVD",
"id": "CNVD-2019-13852"
},
{
"db": "BID",
"id": "107907"
},
{
"db": "VULMON",
"id": "CVE-2019-11072"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-11072",
"trust": 3.4
},
{
"db": "BID",
"id": "107907",
"trust": 2.6
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003364",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2019-13852",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201904-539",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2019-11072",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-13852"
},
{
"db": "VULMON",
"id": "CVE-2019-11072"
},
{
"db": "BID",
"id": "107907"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003364"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-539"
},
{
"db": "NVD",
"id": "CVE-2019-11072"
}
]
},
"id": "VAR-201904-0995",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-13852"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-13852"
}
]
},
"last_update_date": "2024-06-12T22:59:11.245000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "[core] fix abort in http-parseopts (fixes #2945)",
"trust": 0.8,
"url": "https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354"
},
{
"title": "Bug #2945",
"trust": 0.8,
"url": "https://redmine.lighttpd.net/issues/2945"
},
{
"title": "Lighttpd enters a patch to verify the error vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/160987"
},
{
"title": "lighttpd Enter the fix for the verification error vulnerability",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=91354"
},
{
"title": "Debian CVElist Bug Report Logs: lighttpd: CVE-2019-11072",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=9b235b8ab3dbcb0acdb0f9df18f1403b"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/jreisinger/checkip "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-13852"
},
{
"db": "VULMON",
"id": "CVE-2019-11072"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003364"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-539"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-190",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-003364"
},
{
"db": "NVD",
"id": "CVE-2019-11072"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "http://www.securityfocus.com/bid/107907"
},
{
"trust": 2.0,
"url": "https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354"
},
{
"trust": 1.4,
"url": "https://redmine.lighttpd.net/issues/2945"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-11072"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11072"
},
{
"trust": 0.6,
"url": "httpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354"
},
{
"trust": 0.6,
"url": "httpd/lig"
},
{
"trust": 0.6,
"url": "https://github.com/lig"
},
{
"trust": 0.6,
"url": "httpd.net/issues/2945"
},
{
"trust": 0.6,
"url": "https://redmine.lig"
},
{
"trust": 0.6,
"url": "http://www.lig"
},
{
"trust": 0.6,
"url": "httpd.net/versions/55"
},
{
"trust": 0.6,
"url": "httpd-denial-of-service-via-url-path-2f-decode-29025"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/lig"
},
{
"trust": 0.3,
"url": "https://redmine.lighttpd.net/versions/55"
},
{
"trust": 0.3,
"url": "http://www.lighttpd.net/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/190.html"
},
{
"trust": 0.1,
"url": "https://tools.cisco.com/security/center/viewalert.x?alertid=60000"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-13852"
},
{
"db": "VULMON",
"id": "CVE-2019-11072"
},
{
"db": "BID",
"id": "107907"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003364"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-539"
},
{
"db": "NVD",
"id": "CVE-2019-11072"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-13852"
},
{
"db": "VULMON",
"id": "CVE-2019-11072"
},
{
"db": "BID",
"id": "107907"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003364"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-539"
},
{
"db": "NVD",
"id": "CVE-2019-11072"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-05-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-13852"
},
{
"date": "2019-04-10T00:00:00",
"db": "VULMON",
"id": "CVE-2019-11072"
},
{
"date": "2019-04-09T00:00:00",
"db": "BID",
"id": "107907"
},
{
"date": "2019-05-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-003364"
},
{
"date": "2019-04-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-539"
},
{
"date": "2019-04-10T22:29:00.267000",
"db": "NVD",
"id": "CVE-2019-11072"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-05-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-13852"
},
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2019-11072"
},
{
"date": "2019-04-09T00:00:00",
"db": "BID",
"id": "107907"
},
{
"date": "2019-05-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-003364"
},
{
"date": "2019-04-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-539"
},
{
"date": "2024-06-11T21:15:51.510000",
"db": "NVD",
"id": "CVE-2019-11072"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-539"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Lighttpd input validation error vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-13852"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-539"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-539"
}
],
"trust": 0.6
}
}