CVE-2022-37797

Sažetak

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.

Reference

https://redmine.lighttpd.net/issues/3165
https://www.debian.org/security/2022/dsa-5243
https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html
https://security.gentoo.org/glsa/202210-12

CVSS

Base:	7.5
Impact:	3.6
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	-

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Zadnje važnije ažuriranje

03-12-2022 - 01:11

Objavljeno

12-09-2022 - 15:15