Lighttpd

Lighttpd

35 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.3

CVE-2008-1531

  • EPSS 3.62%
  • Published 27.03.2008 23:44:00
  • Last modified 09.04.2025 00:30:58

The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a...

5

CVE-2008-1270

Exploit
  • EPSS 6.28%
  • Published 10.03.2008 21:44:00
  • Last modified 09.04.2025 00:30:58

mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.

5

CVE-2008-1111

  • EPSS 0.87%
  • Published 04.03.2008 23:44:00
  • Last modified 09.04.2025 00:30:58

mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information.

5

CVE-2008-0983

  • EPSS 4.09%
  • Published 26.02.2008 18:44:00
  • Last modified 09.04.2025 00:30:58

lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of...

6.8

CVE-2007-4727

  • EPSS 16.84%
  • Published 12.09.2007 19:17:00
  • Last modified 09.04.2025 00:30:58

Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18 allows remote attackers to overwrite arbitrary CGI variables and execute arbitrary code via an HTTP request with a long...

4.3

CVE-2007-3950

  • EPSS 1.73%
  • Published 24.07.2007 00:30:00
  • Last modified 09.04.2025 00:30:58

lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_...

6.4

CVE-2007-3946

  • EPSS 4.45%
  • Published 24.07.2007 00:30:00
  • Last modified 09.04.2025 00:30:58

mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) traili...

5.8

CVE-2007-3947

  • EPSS 15.75%
  • Published 24.07.2007 00:30:00
  • Last modified 09.04.2025 00:30:58

request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fau...

4.3

CVE-2007-3948

  • EPSS 1.88%
  • Published 24.07.2007 00:30:00
  • Last modified 09.04.2025 00:30:58

connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts.

8.3

CVE-2007-3949

  • EPSS 0.57%
  • Published 24.07.2007 00:30:00
  • Last modified 09.04.2025 00:30:58

mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings.