Search for packages
| purl | pkg:deb/debian/lighttpd@1.4.53-4%2Bdeb10u2 |
| Next non-vulnerable version | 1.4.59-1+deb11u2 |
| Latest non-vulnerable version | 1.4.59-1+deb11u2 |
| Risk | 3.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-mp2h-q3g8-aaag
Aliases: CVE-2022-41556 |
A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67. |
Affected by 0 other vulnerabilities. |
|
VCID-pufn-ddd6-aaab
Aliases: CVE-2022-30780 |
Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-s9yg-42jr-aaae
Aliases: CVE-2022-22707 |
In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system. |
Affected by 0 other vulnerabilities. |
|
VCID-vkap-83f6-aaag
Aliases: CVE-2022-37797 |
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-3zgk-vtpf-aaaa | There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests. |
CVE-2018-25103
|
| VCID-7cp7-ejy5-aaap | A condition exists in lighttpd version prior to 1.4.51 whereby a remote attacker can craft an http request which could result in multiple outcomes: 1.) cause lighttpd to access freed memory in which case the process lighttpd is running in could be terminated or other non-deterministic behavior could result 2.) a memory information disclosure event could result which could be used to determine the state of memory which could then be used to theoretically bypass ALSR protections This CVE will be updated with more details on July 9th, 2024 after affected parties have had time to remediate. |
CVE-2024-3708
|
| VCID-s9yg-42jr-aaae | In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system. |
CVE-2022-22707
|
| VCID-weku-6nwy-aaan | ** DISPUTED ** lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit." |
CVE-2019-11072
|
| VCID-ywgz-ge92-aaas | An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character. |
CVE-2018-19052
|
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-06-21T19:11:20.491154+00:00 | Debian Oval Importer | Affected by | VCID-s9yg-42jr-aaae | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.3 |
| 2025-06-21T18:26:04.511835+00:00 | Debian Oval Importer | Affected by | VCID-mp2h-q3g8-aaag | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.3 |
| 2025-06-21T14:43:22.409387+00:00 | Debian Oval Importer | Affected by | VCID-vkap-83f6-aaag | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.3 |
| 2025-06-21T14:26:49.635282+00:00 | Debian Oval Importer | Fixing | VCID-ywgz-ge92-aaas | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.3 |
| 2025-06-21T14:21:51.029144+00:00 | Debian Oval Importer | Fixing | VCID-s9yg-42jr-aaae | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.3 |
| 2025-06-21T14:10:29.568941+00:00 | Debian Oval Importer | Fixing | VCID-weku-6nwy-aaan | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.3 |
| 2025-06-21T07:08:24.067328+00:00 | Debian Importer | Affected by | VCID-vkap-83f6-aaag | None | 36.1.3 |
| 2025-06-21T04:41:10.411047+00:00 | Debian Oval Importer | Affected by | VCID-s9yg-42jr-aaae | None | 36.1.3 |
| 2025-06-21T03:32:55.301933+00:00 | Debian Oval Importer | Affected by | VCID-pufn-ddd6-aaab | None | 36.1.3 |
| 2025-06-21T03:13:10.191791+00:00 | Debian Oval Importer | Affected by | VCID-mp2h-q3g8-aaag | None | 36.1.3 |
| 2025-06-21T01:10:15.543805+00:00 | Debian Oval Importer | Fixing | VCID-weku-6nwy-aaan | None | 36.1.3 |
| 2025-06-21T00:13:12.020680+00:00 | Debian Oval Importer | Fixing | VCID-s9yg-42jr-aaae | None | 36.1.3 |
| 2025-06-20T23:30:07.455636+00:00 | Debian Oval Importer | Fixing | VCID-ywgz-ge92-aaas | None | 36.1.3 |
| 2025-06-20T23:01:09.592357+00:00 | Debian Oval Importer | Affected by | VCID-vkap-83f6-aaag | None | 36.1.3 |
| 2025-06-08T13:07:40.490570+00:00 | Debian Oval Importer | Fixing | VCID-ywgz-ge92-aaas | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T12:26:02.603174+00:00 | Debian Oval Importer | Affected by | VCID-vkap-83f6-aaag | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T11:40:13.837454+00:00 | Debian Oval Importer | Affected by | VCID-s9yg-42jr-aaae | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T10:56:40.133931+00:00 | Debian Oval Importer | Affected by | VCID-mp2h-q3g8-aaag | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T07:36:40.530432+00:00 | Debian Oval Importer | Affected by | VCID-vkap-83f6-aaag | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.0 |
| 2025-06-08T07:19:51.709782+00:00 | Debian Oval Importer | Fixing | VCID-ywgz-ge92-aaas | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.0 |
| 2025-06-08T07:14:57.766225+00:00 | Debian Oval Importer | Fixing | VCID-s9yg-42jr-aaae | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.0 |
| 2025-06-08T07:03:47.149848+00:00 | Debian Oval Importer | Fixing | VCID-weku-6nwy-aaan | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.0 |
| 2025-06-07T22:18:02.144572+00:00 | Debian Oval Importer | Affected by | VCID-s9yg-42jr-aaae | None | 36.1.0 |
| 2025-06-07T21:06:35.391156+00:00 | Debian Oval Importer | Affected by | VCID-pufn-ddd6-aaab | None | 36.1.0 |
| 2025-06-07T20:46:03.176802+00:00 | Debian Oval Importer | Affected by | VCID-mp2h-q3g8-aaag | None | 36.1.0 |
| 2025-06-07T18:32:54.972249+00:00 | Debian Oval Importer | Fixing | VCID-weku-6nwy-aaan | None | 36.1.0 |
| 2025-06-07T17:36:01.784425+00:00 | Debian Oval Importer | Fixing | VCID-s9yg-42jr-aaae | None | 36.1.0 |
| 2025-06-07T16:53:02.523113+00:00 | Debian Oval Importer | Fixing | VCID-ywgz-ge92-aaas | None | 36.1.0 |
| 2025-06-07T16:24:20.033387+00:00 | Debian Oval Importer | Affected by | VCID-vkap-83f6-aaag | None | 36.1.0 |
| 2025-04-13T00:52:25.989541+00:00 | Debian Oval Importer | Fixing | VCID-3zgk-vtpf-aaaa | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-13T00:52:18.520755+00:00 | Debian Oval Importer | Fixing | VCID-3zgk-vtpf-aaaa | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.0.0 |
| 2025-04-13T00:35:28.921908+00:00 | Debian Oval Importer | Fixing | VCID-7cp7-ejy5-aaap | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-13T00:35:28.178864+00:00 | Debian Oval Importer | Fixing | VCID-7cp7-ejy5-aaap | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.0.0 |
| 2025-04-12T20:48:29.249215+00:00 | Debian Oval Importer | Fixing | VCID-weku-6nwy-aaan | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T19:22:22.865256+00:00 | Debian Oval Importer | Affected by | VCID-pufn-ddd6-aaab | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T18:55:17.993242+00:00 | Debian Oval Importer | Fixing | VCID-ywgz-ge92-aaas | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T18:12:13.104210+00:00 | Debian Oval Importer | Affected by | VCID-vkap-83f6-aaag | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T17:24:55.589669+00:00 | Debian Oval Importer | Affected by | VCID-s9yg-42jr-aaae | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T16:39:19.667108+00:00 | Debian Oval Importer | Affected by | VCID-mp2h-q3g8-aaag | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-08T06:09:14.895661+00:00 | Debian Oval Importer | Affected by | VCID-vkap-83f6-aaag | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.0.0 |
| 2025-04-08T05:52:29.015752+00:00 | Debian Oval Importer | Fixing | VCID-ywgz-ge92-aaas | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.0.0 |
| 2025-04-08T05:47:32.072690+00:00 | Debian Oval Importer | Fixing | VCID-s9yg-42jr-aaae | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.0.0 |
| 2025-04-08T05:36:30.819436+00:00 | Debian Oval Importer | Fixing | VCID-weku-6nwy-aaan | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.0.0 |
| 2025-04-07T20:49:33.003465+00:00 | Debian Oval Importer | Affected by | VCID-s9yg-42jr-aaae | None | 36.0.0 |
| 2025-04-07T19:36:50.216386+00:00 | Debian Oval Importer | Affected by | VCID-pufn-ddd6-aaab | None | 36.0.0 |
| 2025-04-07T19:16:34.540835+00:00 | Debian Oval Importer | Affected by | VCID-mp2h-q3g8-aaag | None | 36.0.0 |
| 2025-04-07T17:10:35.805186+00:00 | Debian Oval Importer | Fixing | VCID-weku-6nwy-aaan | None | 36.0.0 |
| 2025-04-07T16:10:44.137077+00:00 | Debian Oval Importer | Fixing | VCID-s9yg-42jr-aaae | None | 36.0.0 |
| 2025-04-07T15:25:56.574311+00:00 | Debian Oval Importer | Fixing | VCID-ywgz-ge92-aaas | None | 36.0.0 |
| 2025-04-07T14:56:11.395083+00:00 | Debian Oval Importer | Affected by | VCID-vkap-83f6-aaag | None | 36.0.0 |
| 2025-04-06T20:14:04.616215+00:00 | Debian Importer | Affected by | VCID-pufn-ddd6-aaab | None | 36.0.0 |
| 2025-04-05T04:24:41.405462+00:00 | Debian Importer | Affected by | VCID-vkap-83f6-aaag | None | 36.0.0 |
| 2025-02-21T01:28:14.042576+00:00 | Debian Importer | Affected by | VCID-vkap-83f6-aaag | None | 35.1.0 |
| 2025-02-20T21:31:21.616199+00:00 | Debian Importer | Affected by | VCID-pufn-ddd6-aaab | None | 35.1.0 |
| 2024-11-23T16:51:25.696782+00:00 | Debian Importer | Affected by | VCID-vkap-83f6-aaag | None | 35.0.0 |
| 2024-11-23T13:50:17.653223+00:00 | Debian Importer | Affected by | VCID-pufn-ddd6-aaab | None | 35.0.0 |
| 2024-10-10T14:23:16.472338+00:00 | Debian Importer | Affected by | VCID-vkap-83f6-aaag | None | 34.0.2 |
| 2024-10-10T11:44:09.903780+00:00 | Debian Importer | Affected by | VCID-pufn-ddd6-aaab | None | 34.0.2 |
| 2024-09-19T20:41:19.306440+00:00 | Debian Importer | Affected by | VCID-vkap-83f6-aaag | None | 34.0.1 |
| 2024-09-19T18:23:31.033738+00:00 | Debian Importer | Affected by | VCID-pufn-ddd6-aaab | None | 34.0.1 |
| 2024-04-25T19:13:47.494008+00:00 | Debian Importer | Affected by | VCID-vkap-83f6-aaag | None | 34.0.0rc4 |
| 2024-04-25T15:10:44.226248+00:00 | Debian Importer | Affected by | VCID-pufn-ddd6-aaab | None | 34.0.0rc4 |
| 2024-01-12T01:02:24.869406+00:00 | Debian Importer | Affected by | VCID-vkap-83f6-aaag | None | 34.0.0rc2 |
| 2024-01-11T17:48:45.861427+00:00 | Debian Importer | Affected by | VCID-pufn-ddd6-aaab | None | 34.0.0rc2 |
| 2024-01-05T04:24:43.082242+00:00 | Debian Importer | Affected by | VCID-vkap-83f6-aaag | None | 34.0.0rc1 |
| 2024-01-05T02:01:05.157768+00:00 | Debian Importer | Affected by | VCID-pufn-ddd6-aaab | None | 34.0.0rc1 |