Denial of Service Vulnerability in lighttpd Web Server
CVE-2012-5533

Currently unrated

Key Information:

Vendor

Lighttpd

Status
Lighttpd
Vendor
CVE Published:
24 November 2012

What is CVE-2012-5533?

A vulnerability exists in the lighttpd web server that may allow a remote attacker to create a denial of service condition. Specifically, the function http_request_split_value in request.c prior to version 1.4.32 is susceptible to an attack involving a maliciously crafted HTTP request header. If an attacker sends a request containing an empty token in the header, such as 'Connection: TE,,Keep-Alive', this can lead to an infinite loop, causing the server to become unresponsive. Administrators are advised to upgrade to the latest version to mitigate this risk.

References

http://www.openwall.com/lists/oss-security/2012/11/21/1
mailing-listx_refsource_MLIST
http://lists.opensuse.org/opensuse-updates/2012-11/msg000...
vendor-advisoryx_refsource_SUSE
http://download.lighttpd.net/lighttpd/security/lighttpd_s...
x_refsource_CONFIRM

EPSS Score

42% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.