Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2011-4362

Published: 24/12/2011 Updated: 04/03/2021
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
VMScore: 505
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Subscribe to Lighttpd

Vulnerability Summary

Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 prior to 1.4.30 and 1.5 before SVN revision 2806 allows remote malicious users to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

lighttpd lighttpd

lighttpd lighttpd 1.5.0

debian debian linux 5.0

debian debian linux 6.0

debian debian linux 7.0

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2011-4362: DoS because of incorrect code in src/http_auth.c:67
Debian Bug report logs - #652726 CVE-2011-4362: DoS because of incorrect code in src/http_authc:67 Package: src:lighttpd; Maintainer for src:lighttpd is Debian QA Group <packages@qadebianorg>; Reported by: Mahyuddin Susanto <udienz@ubuntucom> Date: Tue, 20 Dec 2011 10:12:23 UTC Severity: grave Tags: fixed-upstrea ...
Debian Security Advisories: DSA-2368-1 lighttpd -- multiple vulnerabilities
Several vulnerabilities have been discovered in lighttpd, a small and fast webserver with minimal memory footprint CVE-2011-4362 Xi Wang discovered that the base64 decoding routine which is used to decode user input during an HTTP authentication, suffers of a signedness issue when processing user input As a result it is possible to force ...
Amazon Linux AMI: ALAS-2012-107
Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_authc) in lighttpd 14 before 1430 and 15 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index ...

Exploits

Exploit DB: lighttpd - Denial of Service (PoC)
29 of November 2011 was the date of public disclosure interesting vulnerability in lighttpd server Xi Wang discovered that mod_auth for this server does not propely decode characters from the extended ASCII table The vulnerable code is below: "src/http_authc:67" --- CUT --- static const short base64_reverse_table[256] = ; static unsigned ch ...
Exploit DB: Lighttpd 1.4.30 / 1.5 Denial Of Service
Lighttpd versions before 1430 and 15 before SVN revision 2806 out-of-bounds read segmentation fault denial of service exploit ...

References

NVD-CWE-Otherhttp://www.debian.org/security/2011/dsa-2368http://secunia.com/advisories/47260https://bugzilla.redhat.com/show_bug.cgi?id=758624http://www.securitytracker.com/id?1026359http://redmine.lighttpd.net/issues/2370http://www.openwall.com/lists/oss-security/2011/11/29/8http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txthttp://www.openwall.com/lists/oss-security/2011/11/29/13http://blog.pi3.com.pl/?p=277http://archives.neohapsis.com/archives/bugtraq/2011-12/0167.htmlhttp://www.exploit-db.com/exploits/18295https://exchange.xforce.ibmcloud.com/vulnerabilities/71536http://jvn.jp/en/jp/JVN37417423/index.htmlhttps://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652726https://www.exploit-db.com/exploits/18295/https://www.debian.org/security/./dsa-2368
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2021-35000CVE-2024-4439unauthorizedCVE-2024-0042CVE-2024-31848CVE-2023-40694cache poisoningCVE-2024-23707firmware
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook