Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.6
CVSSv2

CVE-2013-4559

Published: 20/11/2013 Updated: 26/02/2021
CVSS v2 Base Score: 7.6 | Impact Score: 10 | Exploitability Score: 4.9
VMScore: 676
Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C
Subscribe to Lighttpd

Vulnerability Summary

lighttpd prior to 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote malicious users to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

lighttpd lighttpd

debian debian linux 6.0

debian debian linux 7.0

debian debian linux 8.0

opensuse opensuse 12.2

opensuse opensuse 12.3

opensuse opensuse 13.1

Vendor Advisories

Debian CVElist Bug Report Logs: lighttpd: multiple security issues
Debian Bug report logs - #729453 lighttpd: multiple security issues Package: lighttpd; Maintainer for lighttpd is Debian QA Group <packages@qadebianorg>; Source for lighttpd is src:lighttpd (PTS, buildd, popcon) Reported by: Michael Gilbert <mgilbert@debianorg> Date: Wed, 13 Nov 2013 04:15:01 UTC Severity: seriou ...
Debian Security Advisories: DSA-2795-2 lighttpd -- several vulnerabilities
Several vulnerabilities have been discovered in the lighttpd web server It was discovered that SSL connections with client certificates stopped working after the DSA-2795-1 update of lighttpd An upstream patch has now been applied that provides an appropriate identifier for client certificate verification CVE-2013-4508 It was discovered tha ...
Amazon Linux AMI: ALAS-2014-299
Use-after-free vulnerability in lighttpd before 1433 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures lighttpd before 1434, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inse ...

References

CWE-264http://www.openwall.com/lists/oss-security/2013/11/12/4http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txthttp://secunia.com/advisories/55682http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.htmlhttp://marc.info/?l=bugtraq&m=141576815022399&w=2https://www.debian.org/security/2013/dsa-2795https://kc.mcafee.com/corporate/index?page=content&id=SB10310http://jvn.jp/en/jp/JVN37417423/index.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729453https://nvd.nist.govhttps://www.debian.org/security/./dsa-2795
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
path traversalCVE-2024-26978CVE-2024-26982wirelessCVE-2023-6949CVE-2024-26980CVE-2024-32766CVE-2024-26939cache poisoning
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook