7.5
CVSSv3

CVE-2013-4508

Published: 08/11/2013 Updated: 26/02/2021
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

lighttpd prior to 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote malicious users to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

lighttpd lighttpd

debian debian linux 8.0

debian debian linux 7.0

debian debian linux 6.0

opensuse opensuse 12.3

opensuse opensuse 12.2

opensuse opensuse 13.1

Vendor Advisories

Debian Bug report logs - #729453 lighttpd: multiple security issues Package: lighttpd; Maintainer for lighttpd is Debian QA Group <packages@qadebianorg>; Source for lighttpd is src:lighttpd (PTS, buildd, popcon) Reported by: Michael Gilbert <mgilbert@debianorg> Date: Wed, 13 Nov 2013 04:15:01 UTC Severity: seriou ...
Several vulnerabilities have been discovered in the lighttpd web server It was discovered that SSL connections with client certificates stopped working after the DSA-2795-1 update of lighttpd An upstream patch has now been applied that provides an appropriate identifier for client certificate verification CVE-2013-4508 It was discovered tha ...
Use-after-free vulnerability in lighttpd before 1433 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures lighttpd before 1434, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inse ...