#VU32618 Input validation error in lighttpd


Published: 2020-07-29

Vulnerability identifier: #VU32618

Vulnerability risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2012-5533

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
lighttpd
Server applications / Web servers

Vendor: lighttpd

Description

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.

Mitigation
The vendor has issued the following versions to address this vulnerability: 1.4.31, 1.4.32.

Vulnerable software versions

lighttpd: 1.4.1 - 1.4.30

External links
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt
http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch
http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00051.html
http://marc.info/?l=bugtraq&m=141576815022399&w=2
http://osvdb.org/87623
http://packetstormsecurity.org/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html
http://secunia.com/advisories/51268
http://secunia.com/advisories/51298
http://www.exploit-db.com/exploits/22902
http://www.mandriva.com/security/advisories?name=MDVSA-2013:100
http://www.openwall.com/lists/oss-security/2012/11/21/1
http://www.securityfocus.com/bid/56619
http://www.securitytracker.com/id?1027802
http://exchange.xforce.ibmcloud.com/vulnerabilities/80213
http://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in HP Remote Device Access: Virtual Customer Access System (vCAS)
Gentoo update for lighttpd
Input validation error in lighttpd (Alpine package)
Amazon Linux AMI update for lighttpd
Input validation error in lighttpd