Main Vulnerability Database SB2018120316

SB2018120316 - Input validation error in litespeed OpenLiteSpeed

Published: December 3, 2018 Updated: August 8, 2020

Security Bulletin ID SB2018120316

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2018-19791)

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 does not correctly handle requests for byte sequences, allowing an attacker to amplify the response size by requesting the entire response body repeatedly, as demonstrated by an HTTP Range header value beginning with the "bytes=0-,0-" substring.

Remediation

Install update from vendor's website.

References

https://github.com/litespeedtech/openlitespeed/issues/117