Vulnerabilities > Lighttpd > Lighttpd > High

DATE CVE VULNERABILITY TITLE RISK
2022-10-06 CVE-2022-41556 Memory Leak vulnerability in multiple products
A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients.
network
low complexity
lighttpd fedoraproject CWE-401
7.5
2022-09-12 CVE-2022-37797 NULL Pointer Dereference vulnerability in multiple products
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received.
network
low complexity
lighttpd debian CWE-476
7.5
2022-06-11 CVE-2022-30780 Incorrect Calculation vulnerability in Lighttpd 1.4.56/1.4.57/1.4.58
Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.
network
low complexity
lighttpd CWE-682
7.5
2014-03-14 CVE-2014-2323 SQL Injection vulnerability in multiple products
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
network
low complexity
lighttpd debian opensuse suse CWE-89
7.5
2013-11-20 CVE-2013-4559 Permissions, Privileges, and Access Controls vulnerability in multiple products
lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.
network
high complexity
lighttpd debian opensuse CWE-264
7.6
2008-10-03 CVE-2008-4360 Information Exposure vulnerability in multiple products
mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.
network
low complexity
lighttpd debian CWE-200
7.5
2008-10-03 CVE-2008-4359 Information Exposure vulnerability in multiple products
lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.
network
low complexity
lighttpd debian CWE-200
7.5
2007-07-24 CVE-2007-3949 Unspecified vulnerability in Lighttpd
mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings.
network
lighttpd
8.3
2007-04-18 CVE-2007-1870 Remote Denial of Service vulnerability in Lighttpd
lighttpd before 1.4.14 allows attackers to cause a denial of service (crash) via a request to a file whose mtime is 0, which results in a NULL pointer dereference.
network
low complexity
lighttpd
7.8