Vulnerabilities > CVE-2022-37797 - NULL Pointer Dereference vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

lighttpd

debian

CWE-476

NVD

Published: 2022-09-12

Updated: 2022-12-03

Summary

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.

Vulnerable Configurations

Part	Description	Count
Application	Lighttpd Lighttpd Lighttpd 1.4.65	1
OS	Debian Debian Debian Linux 10.0	1

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

References

https://redmine.lighttpd.net/issues/3165
https://www.debian.org/security/2022/dsa-5243
https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html
https://security.gentoo.org/glsa/202210-12