VulnerableCode Package Details - pkg:deb/debian/lighttpd@1.4.53-4%2Bdeb10u2

Search for packages

Vulnerability	Summary	Fixed by
VCID-8sn2-9v3z-5qd8 Aliases: CVE-2022-37797	A vulnerability has been discovered in lighttpd which could result in denial of service.	1.4.59-1+deb11u2 Affected by 0 other vulnerabilities.
VCID-dj2j-yr1r-myej Aliases: CVE-2022-41556	A vulnerability has been discovered in lighttpd which could result in denial of service.	1.4.59-1+deb11u2 Affected by 0 other vulnerabilities.
VCID-ma83-g8ra-47bd Aliases: CVE-2022-30780	Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.	1.4.59-1+deb11u2 Affected by 0 other vulnerabilities.
VCID-nabb-9r87-mbhw Aliases: CVE-2022-22707	security update	1.4.59-1+deb11u2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-8sn2-9v3z-5qd8
Aliases:
CVE-2022-37797

A vulnerability has been discovered in lighttpd which could result in denial of service.

1.4.59-1+deb11u2
Affected by 0 other vulnerabilities.

VCID-dj2j-yr1r-myej
Aliases:
CVE-2022-41556

A vulnerability has been discovered in lighttpd which could result in denial of service.

1.4.59-1+deb11u2
Affected by 0 other vulnerabilities.

VCID-ma83-g8ra-47bd
Aliases:
CVE-2022-30780

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.

1.4.59-1+deb11u2
Affected by 0 other vulnerabilities.

VCID-nabb-9r87-mbhw
Aliases:
CVE-2022-22707

security update

1.4.59-1+deb11u2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-392a-57u1-mqcx	lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit.	CVE-2019-11072
VCID-nabb-9r87-mbhw	security update	CVE-2022-22707
VCID-uk6q-31q8-qqf9	There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests.	CVE-2018-25103
VCID-wfbv-rpt2-9bcs	An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.	CVE-2018-19052

Vulnerability

Summary

Aliases

VCID-392a-57u1-mqcx

lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit.

CVE-2019-11072

VCID-nabb-9r87-mbhw

security update

CVE-2022-22707

VCID-uk6q-31q8-qqf9

There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests.

CVE-2018-25103

VCID-wfbv-rpt2-9bcs

An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.

CVE-2018-19052

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-15T22:12:51.502740+00:00	Debian Oval Importer	Fixing	VCID-392a-57u1-mqcx	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T19:58:25.676416+00:00	Debian Oval Importer	Affected by	VCID-ma83-g8ra-47bd	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T19:16:05.173318+00:00	Debian Oval Importer	Fixing	VCID-wfbv-rpt2-9bcs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T18:08:50.964075+00:00	Debian Oval Importer	Affected by	VCID-8sn2-9v3z-5qd8	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T17:27:14.133444+00:00	Debian Oval Importer	Fixing	VCID-uk6q-31q8-qqf9	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T16:56:05.176733+00:00	Debian Oval Importer	Affected by	VCID-nabb-9r87-mbhw	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T15:45:51.286514+00:00	Debian Oval Importer	Affected by	VCID-dj2j-yr1r-myej	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T14:56:21.189813+00:00	Debian Oval Importer	Fixing	VCID-nabb-9r87-mbhw	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	38.4.0
2026-04-11T21:50:33.859146+00:00	Debian Oval Importer	Fixing	VCID-392a-57u1-mqcx	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T19:40:24.167613+00:00	Debian Oval Importer	Affected by	VCID-ma83-g8ra-47bd	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T18:59:32.424324+00:00	Debian Oval Importer	Fixing	VCID-wfbv-rpt2-9bcs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T17:54:24.468859+00:00	Debian Oval Importer	Affected by	VCID-8sn2-9v3z-5qd8	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T17:13:34.700264+00:00	Debian Oval Importer	Fixing	VCID-uk6q-31q8-qqf9	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T16:42:46.215557+00:00	Debian Oval Importer	Affected by	VCID-nabb-9r87-mbhw	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T15:33:35.143496+00:00	Debian Oval Importer	Affected by	VCID-dj2j-yr1r-myej	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T14:44:37.788334+00:00	Debian Oval Importer	Fixing	VCID-nabb-9r87-mbhw	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	38.3.0
2026-04-08T21:28:06.410297+00:00	Debian Oval Importer	Fixing	VCID-392a-57u1-mqcx	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T19:23:24.104137+00:00	Debian Oval Importer	Affected by	VCID-ma83-g8ra-47bd	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T18:44:04.707492+00:00	Debian Oval Importer	Fixing	VCID-wfbv-rpt2-9bcs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T17:41:16.154805+00:00	Debian Oval Importer	Affected by	VCID-8sn2-9v3z-5qd8	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T17:02:27.523247+00:00	Debian Oval Importer	Fixing	VCID-uk6q-31q8-qqf9	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T16:33:14.515748+00:00	Debian Oval Importer	Affected by	VCID-nabb-9r87-mbhw	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T15:27:42.850734+00:00	Debian Oval Importer	Affected by	VCID-dj2j-yr1r-myej	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-07T23:17:29.551268+00:00	Debian Oval Importer	Fixing	VCID-nabb-9r87-mbhw	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	38.1.0