Published: 12/09/2022 Updated: 03/12/2022

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external malicious user to cause denial of service condition.

Vulnerable Product	Search on Vulmon	Subscribe to Product
lighttpd lighttpd 1.4.65
debian debian linux 10.0

Several vulnerabilities were discovered in lighttpd, a fast webserver with minimal memory footprint CVE-2022-37797 An invalid HTTP request (websocket handshake) may cause a NULL pointer dereference in the wstunnel module CVE-2022-41556 A resource leak in mod_fastcgi and mod_scgi could lead to a denial of service after a large num ...

In lighttpd 1465, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received It leads to null pointer dereference which crashes the server It could be used by an external attacker to cause denial of service condition (CVE-2022-37797) ...

Severity Unknown Remote Unknown Type Unknown Description AVG-2822 lighttpd 1466-1 1467-1 Unknown Fixed redminelighttpdnet/issues/3165 gitlighttpdnet/lighttpd/lighttpd14/commit/971773f ...

Critical Infrastructure Sectors: Critical Manufacturing

CWE-476 https://redmine.lighttpd.net/issues/3165 https://www.debian.org/security/2022/dsa-5243 https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html https://security.gentoo.org/glsa/202210-12 https://nvd.nist.gov https://www.debian.org/security/2022/dsa-5243 https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-11

CVE-2022-37797

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

References

Vulmon Search

About

Products

Connect