Integer Signedness Error in Lighttpd HTTP Authentication Functionality
CVE-2011-4362

Currently unrated

Key Information:

Vendor: Lighttpd
Status: Lighttpd
Vendor: CVE Published:; 24 December 2011

What is CVE-2011-4362?

An integer signedness error in the base64_decode function of the HTTP authentication feature in Lighttpd may allow remote attackers to induce a denial of service. This occurs through specially crafted base64 input, leading to an out-of-bounds read and potential segmentation fault. Affected versions include Lighttpd 1.4 prior to 1.4.30 and 1.5 before SVN revision 2806, highlighting a significant risk for deployments running these versions.

References

http://secunia.com/advisories/47260

third-party-advisoryx_refsource_SECUNIA

http://archives.neohapsis.com/archives/bugtraq/2011-12/01...

mailing-listx_refsource_BUGTRAQ

http://www.openwall.com/lists/oss-security/2011/11/29/8

mailing-listx_refsource_MLIST

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 24, 2011
Vulnerability Reserved
Nov 4, 2011