CVSS: 5.0EPSS: 7%CPEs: 62EXPL: 2CVE-2010-0295 – lighttpd 1.4/1.5 - Slow Request Handling Remote Denial of Service
https://notcve.org/view.php?id=CVE-2010-0295
lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. lighttpd anterior a v1.4.26 y v1.5.x, reserva un búfer por cada operación de lectura para cada petición, lo que permite a atacantes remotos provocar una denegación de servicio (consumo de memoria) rompiendo la petición en pequeños pedazos que son enviados a baja velocidad. • https://www.exploit-db.com/exploits/33591 http://blogs.sun.com/security/entry/cve_2010_0295_vulnerability_in http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.x_fix_slow_request_dos.patch http://download.lighttpd.net/lighttpd/security/lighttpd-1.5_fix_slow_request_dos.patch http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041264.html http://lists.fedoraproject.org/pipermail/package-announce/2010-May • CWE-399: Resource Management Errors •
CVSS: 4.3EPSS: 10%CPEs: 3EXPL: 0CVE-2008-1531
https://notcve.org/view.php?id=CVE-2008-1531
The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost. La función connection_state_machine (connections.c) en lighttpd versión 1.4.19 y anteriores, y versión 1.5.x anterior a 1.5.0, permite a los atacantes remotos generar una denegación de servicio (pérdida de conexión SSL activa) al activar un error SSL, como desconectarse antes que una descarga ha finalizado, lo que hace que todas las conexiones SSL activas se pierdan. • http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html http://secunia.com/advisories/29505 http://secunia.com/advisories/29544 http://secunia.com/advisories/29636 http://secunia.com/advisories/29649 http://secunia.com/advisories/30023 http://security.gentoo.org/glsa/glsa-200804-08.xml http://trac.lighttpd.net/trac/changeset/2136 http://trac.lighttpd.net/trac/changeset/2139 http://trac.lighttpd.net/trac/changeset/2140 http://trac.lighttpd.net/trac/ticket&#x •