7.5

CVE-2022-41556

Exploit
A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LighttpdLighttpd Version >= 1.4.56 < 1.4.67
FedoraprojectFedora Version35
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.71% 0.841
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

https://security.gentoo.org/glsa/202210-12
Third Party Advisory
https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50
Patch
Third Party Advisory
https://github.com/lighttpd/lighttpd1.4/compare/lighttpd-1.4.66...lighttpd-1.4.67
Third Party Advisory
https://github.com/lighttpd/lighttpd1.4/pull/115
Third Party Advisory
Exploit
Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/