CVE-2022-41556

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.

Un filtrado de recursos en el archivo gw_backend.c en lighttpd versiones 1.4.56 hasta 1.4.66, podría conllevar a una denegación de servicio (agotamiento de la ranura de conexión) después de una gran cantidad de comportamiento TCP anómalo por parte de los clientes. Está relacionado con un manejo inapropiado de RDHUP en determinadas situaciones de HTTP/1.1 chunked. El uso de mod_fastcgi está, por ejemplo, afectado. Esto ha sido corregido en versión 1.4.67

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-26 CVE Reserved
2022-09-28 CVE Published
2024-05-27 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-401: Missing Release of Memory after Effective Lifetime

CAPEC

References (5)

URL	Tag	Source
https://github.com/lighttpd/lighttpd1.4/compare/lighttpd-1.4.66...lighttpd-1.4.67	Third Party Advisory

URL	Date	SRC
https://github.com/lighttpd/lighttpd1.4/pull/115	2024-08-03

URL	Date	SRC
https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2	2023-11-07
https://security.gentoo.org/glsa/202210-12	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Lighttpd Search vendor "Lighttpd"		Lighttpd Search vendor "Lighttpd" for product "Lighttpd"				>= 1.4.56 < 1.4.67 Search vendor "Lighttpd" for product "Lighttpd" and version " >= 1.4.56 < 1.4.67"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected