Search CVE reports
1 – 10 of 35 results
CVE-2018-25103
Medium priorityThere exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests.
1 affected package
lighttpd
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lighttpd | Not affected | Not affected | Not affected | Needs evaluation | Needs evaluation |
CVE-2024-3708
Medium priorityA condition exists in lighttpd version prior to 1.4.51 whereby a remote attacker can craft an http request which could result in multiple outcomes: 1.) cause lighttpd to access freed memory in which case the process lighttpd is...
1 affected package
lighttpd
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lighttpd | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2022-41556
Medium prioritySome fixes available 2 of 4
A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in...
1 affected package
lighttpd
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lighttpd | Not affected | Fixed | Not affected | Not affected | Not affected |
CVE-2022-37797
Medium priorityIn lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an...
1 affected package
lighttpd
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lighttpd | Not affected | Vulnerable | Vulnerable | Not affected | Not affected |
CVE-2022-30780
Medium priorityLighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read...
1 affected package
lighttpd
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lighttpd | Not affected | Not affected | Not affected | Not affected | Vulnerable |
CVE-2022-22707
Low prioritySome fixes available 2 of 4
In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a...
1 affected package
lighttpd
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lighttpd | — | Fixed | Fixed | Not affected | Not affected |
CVE-2019-11072
Medium priority** DISPUTED ** lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request,...
1 affected package
lighttpd
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lighttpd | — | — | — | Not affected | Not affected |
CVE-2018-19052
Low prioritySome fixes available 3 of 4
An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the...
1 affected package
lighttpd
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lighttpd | — | Not affected | Not affected | Fixed | Fixed |
CVE-2016-1000212
Medium prioritySome fixes available 2 of 7
Mitigation for HTTPoxy vulnerability
1 affected package
lighttpd
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lighttpd | — | — | — | Not affected | Fixed |
CVE-2015-3200
Low prioritySome fixes available 2 of 9
mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.
1 affected package
lighttpd
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
lighttpd | — | Not affected | Not affected | Not affected | Fixed |