Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Lighttpd
(Lighttpd)Repositories | https://github.com/lighttpd/lighttpd1.4 |
#Vulnerabilities | 34 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2013-11-08 | CVE-2013-4508 | lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network. | Debian_linux, Lighttpd, Opensuse | 7.5 | ||
2014-03-14 | CVE-2014-2324 | Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname. | Sv\-Cpt\-Mc310_firmware, Debian_linux, Lighttpd, Opensuse, Linux_enterprise_high_availability_extension, Linux_enterprise_software_development_kit | N/A | ||
2015-06-09 | CVE-2015-3200 | mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character. | Virtual_customer_access_system, Lighttpd, Solaris | 7.5 | ||
2013-03-21 | CVE-2013-1427 | The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition. | Lighttpd | N/A | ||
2012-11-24 | CVE-2012-5533 | The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header. | Lighttpd | N/A | ||
2010-02-03 | CVE-2010-0295 | lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. | Lighttpd | N/A | ||
2008-10-03 | CVE-2008-4360 | mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files. | Debian_linux, Lighttpd | N/A | ||
2008-10-03 | CVE-2008-4359 | lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data. | Debian_linux, Lighttpd | N/A | ||
2008-09-27 | CVE-2008-4298 | Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers. | Lighttpd | N/A | ||
2008-03-27 | CVE-2008-1531 | The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost. | Debian_linux, Lighttpd | N/A |