Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2014-2323

Published: 14/03/2014 Updated: 26/02/2021
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Lighttpd

Vulnerability Summary

SQL injection vulnerability in mod_mysql_vhost.c in lighttpd prior to 1.4.35 allows remote malicious users to execute arbitrary SQL commands via the host name, related to request_check_hostname.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

lighttpd lighttpd

debian debian linux 6.0

debian debian linux 7.0

debian debian linux 8.0

opensuse opensuse 11.4

opensuse opensuse 12.3

opensuse opensuse 13.1

suse linux enterprise high availability extension 11

suse linux enterprise software development kit 11

Vendor Advisories

Debian CVElist Bug Report Logs: lighttpd: SA_2014_01
Debian Bug report logs - #741493 lighttpd: SA_2014_01 Package: src:lighttpd; Maintainer for src:lighttpd is Debian QA Group <packages@qadebianorg>; Reported by: Michael Gilbert <mgilbert@debianorg> Date: Thu, 13 Mar 2014 00:39:02 UTC Severity: serious Found in version lighttpd/1428-2 Fixed in versions lighttpd ...
Debian Security Advisories: DSA-2877-1 lighttpd -- security update
Several vulnerabilities were discovered in the lighttpd web server CVE-2014-2323 Jann Horn discovered that specially crafted host names can be used to inject arbitrary MySQL queries in lighttpd servers using the MySQL virtual hosting module (mod_mysql_vhost) This only affects installations with the lighttpd-mod-mysql-vhost bi ...
Amazon Linux AMI: ALAS-2014-346
Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1435 allow remote attackers to read arbitrary files via a (dot dot) in the host name, related to request_check_hostname SQL injection vulnerability in mod_mysql_vhostc in lighttpd before 1435 allows remote attackers to execute arbitra ...

Github Repositories

https://github.com/cirocosta/lighty-sqlinj-demo

CVE-2014-2323 exploit demonstration

title members date Ep4 - Vulnerabilidade Relacionada Redes Ciro S Costa Marcela Terakado 10 Nov, 2015 Vulnerabilidade relacionada: CVE-2014-2323 [1] was assigned to SQL injection bug CVE-2014-2324 [2] was assigned to the path traversal bug Confirm: downloadlighttpdnet/lighttpd/s

References

CWE-89http://seclists.org/oss-sec/2014/q1/561http://seclists.org/oss-sec/2014/q1/564http://www.debian.org/security/2014/dsa-2877http://www.lighttpd.net/2014/3/12/1.4.35/http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txthttp://secunia.com/advisories/57404http://secunia.com/advisories/57514http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.htmlhttp://marc.info/?l=bugtraq&m=141576815022399&w=2http://jvn.jp/en/jp/JVN37417423/index.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741493https://nvd.nist.govhttps://github.com/cirocosta/lighty-sqlinj-demohttps://www.debian.org/security/./dsa-2877
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook