CVSS: 7.5EPSS: 8%CPEs: 5EXPL: 7CVE-2011-4362 – lighttpd - Denial of Service (PoC)
https://notcve.org/view.php?id=CVE-2011-4362
24 Dec 2011 — Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index. Error de signo de entero en la función base64_decode en la funcionalidad de autenticación HTTP (http_auth.c) en lighttpd v1.4 anterior a v1.4.30 y v1.5 antes de la revisión SVN 2806... • https://www.exploit-db.com/exploits/18295 •
CVSS: 7.5EPSS: 9%CPEs: 62EXPL: 2CVE-2010-0295 – lighttpd 1.4/1.5 - Slow Request Handling Remote Denial of Service
https://notcve.org/view.php?id=CVE-2010-0295
03 Feb 2010 — lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. lighttpd anterior a v1.4.26 y v1.5.x, reserva un búfer por cada operación de lectura para cada petición, lo que permite a atacantes remotos provocar una denegación de servicio (consumo de memoria) rompiendo la petición en pequeños pedazos que son enviados a... • https://www.exploit-db.com/exploits/33591 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 6%CPEs: 2EXPL: 0CVE-2008-4359
https://notcve.org/view.php?id=CVE-2008-4359
03 Oct 2008 — lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data. lighttpd versiones anteriores a v1.4.20 compara URIs con patrones en los ajustes de configuración (1) url.redirect y (2) url.rewrite antes de realizar la decodificación de URL, lo cual puede permitir a atacantes remotos evitar rest... • http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 5%CPEs: 2EXPL: 0CVE-2008-4360
https://notcve.org/view.php?id=CVE-2008-4360
03 Oct 2008 — mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files. mod_userdir de lighttpd versiones anteriores a v1.4.20, cuando un sistema operativo insensible a mayúsculas o minúsculas o sistemas de ficheros son utili... • http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 11%CPEs: 54EXPL: 0CVE-2008-4298
https://notcve.org/view.php?id=CVE-2008-4298
27 Sep 2008 — Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers. Fugas de memoria en la función http_request_parse en request.c en lighttpd anteriores a v1.4.20 permite a atacantes remotos causar denegación de servicio (corrupción de memoria) a través de un gran número de peticiones con cabeceras de peticiones duplicadas. • http://bugs.gentoo.org/show_bug.cgi?id=238180 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 19%CPEs: 3EXPL: 0CVE-2008-1531
https://notcve.org/view.php?id=CVE-2008-1531
27 Mar 2008 — The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost. La función connection_state_machine (connections.c) en lighttpd versión 1.4.19 y anteriores, y versión 1.5.x anterior a 1.5.0, permite a los atacantes remotos generar una denegación de s... • http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html •
CVSS: 7.5EPSS: 10%CPEs: 1EXPL: 2CVE-2008-1270 – Lighttpd 1.4.x - mod_userdir Information Disclosure
https://notcve.org/view.php?id=CVE-2008-1270
10 Mar 2008 — mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory. mod_userdir en lighttpd 1.4.18 y anteriores, cuando no está establecido el userdir.path usa un $HOME por defecto, que podría permitir a atacantes remotos leer ficheros de su elección como se ha demostrado accediendo al directorio ~nobody. • https://www.exploit-db.com/exploits/31396 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2008-1111
https://notcve.org/view.php?id=CVE-2008-1111
04 Mar 2008 — mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information. El mod_cgi en lighttpd versión 1.4.18, envía el código fuente de los scripts CGI en lugar de un error 500 cuando ocurre un fallo de bifurcación, lo que podría permitir a los atacantes remotos obtener información confidencial. • http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 9%CPEs: 12EXPL: 0CVE-2008-0983
https://notcve.org/view.php?id=CVE-2008-0983
26 Feb 2008 — lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access. lighttpd 1.4.18 y posiblemente otras versiones anteriores a la 1.5.0, no calcula correctamente el tamaño del array descriptor de archivos, lo que permite a atacantes remotos provocar una denegación de servicio (caída) a través de un gran número d... • http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html • CWE-399: Resource Management Errors •
CVSS: 9.8EPSS: 50%CPEs: 1EXPL: 0CVE-2007-4727
https://notcve.org/view.php?id=CVE-2007-4727
12 Sep 2007 — Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18 allows remote attackers to overwrite arbitrary CGI variables and execute arbitrary code via an HTTP request with a long content length, as demonstrated by overwriting the SCRIPT_FILENAME variable, aka a "header overflow." Desbordamiento de búfer en la función fcgi_env_add de mod_proxy_backend_fastcgi.c en la extensión mod_fastcgi en lighttpd anterior a 1.4.18 permite a atacantes... • http://fedoranews.org/updates/FEDORA-2007-213.shtml • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •