Search for vulnerabilities
Vulnerability details: VCID-w3yg-6tdc-aaac
Vulnerability ID VCID-w3yg-6tdc-aaac
Aliases CVE-2013-4559
Summary lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-264 Permissions, Privileges, and Access Controls
System Score Found at
generic_textual Medium http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt
generic_textual Medium http://lists.debian.org/debian-security-announce/2013/msg00207.html
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4559.html
epss 0.00646 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.00646 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.00646 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.00646 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.01038 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.01038 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.01038 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.01038 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.01038 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.01038 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.01038 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.01038 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.01038 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.01038 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.01038 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.07105 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.07105 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.07105 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.07105 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.07105 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.07105 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.1009 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.10621 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.12554 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.12554 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
epss 0.12554 https://api.first.org/data/v1/epss?cve=CVE-2013-4559
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4508
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4559
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4560
cvssv2 7.6 https://nvd.nist.gov/vuln/detail/CVE-2013-4559
Reference id Reference type URL
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt
http://jvn.jp/en/jp/JVN37417423/index.html
http://lists.debian.org/debian-security-announce/2013/msg00207.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html
http://marc.info/?l=bugtraq&m=141576815022399&w=2
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4559.html
https://api.first.org/data/v1/epss?cve=CVE-2013-4559
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4508
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4559
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4560
http://secunia.com/advisories/55682
https://kc.mcafee.com/corporate/index?page=content&id=SB10310
https://www.debian.org/security/2013/dsa-2795
http://www.openwall.com/lists/oss-security/2013/11/12/4
729453 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729453
cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
CVE-2013-4559 https://nvd.nist.gov/vuln/detail/CVE-2013-4559
GLSA-201406-10 https://security.gentoo.org/glsa/201406-10
No exploits are available.
Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C Found at https://nvd.nist.gov/vuln/detail/CVE-2013-4559
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.79154
EPSS Score 0.00646
Published At Dec. 17, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.