Total
34 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2007-3949 | 1 Lighttpd | 1 Lighttpd | 2018-10-15 | 8.3 HIGH | N/A |
| mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings. | |||||
| CVE-2007-3948 | 1 Lighttpd | 1 Lighttpd | 2018-10-15 | 4.3 MEDIUM | N/A |
| connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts. | |||||
| CVE-2007-3947 | 1 Lighttpd | 1 Lighttpd | 2018-10-15 | 5.8 MEDIUM | N/A |
| request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fault. | |||||
| CVE-2007-3946 | 1 Lighttpd | 1 Lighttpd | 2018-10-15 | 6.4 MEDIUM | N/A |
| mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header. | |||||
| CVE-2007-3950 | 1 Lighttpd | 1 Lighttpd | 2018-10-15 | 4.3 MEDIUM | N/A |
| lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules. | |||||
| CVE-2008-4298 | 1 Lighttpd | 1 Lighttpd | 2018-10-11 | 5.0 MEDIUM | N/A |
| Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers. | |||||
| CVE-2008-1270 | 1 Lighttpd | 1 Lighttpd | 2018-10-11 | 5.0 MEDIUM | N/A |
| mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory. | |||||
| CVE-2008-1111 | 1 Lighttpd | 1 Lighttpd | 2018-10-11 | 5.0 MEDIUM | N/A |
| mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information. | |||||
| CVE-2013-1427 | 2 Debian, Lighttpd | 2 Debian Linux, Lighttpd | 2017-08-28 | 1.9 LOW | N/A |
| The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition. | |||||
| CVE-2012-5533 | 1 Lighttpd | 1 Lighttpd | 2017-08-28 | 5.0 MEDIUM | N/A |
| The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header. | |||||
| CVE-2010-0295 | 1 Lighttpd | 1 Lighttpd | 2017-08-16 | 5.0 MEDIUM | N/A |
| lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. | |||||
| CVE-2006-0760 | 1 Lighttpd | 1 Lighttpd | 2017-07-19 | 2.6 LOW | N/A |
| LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected capitalization, as demonstrated by a request for index.PHP when the configuration invokes the PHP interpreter only for ".php" names. | |||||
| CVE-2015-3200 | 3 Hp, Lighttpd, Oracle | 3 Virtual Customer Access System, Lighttpd, Solaris | 2016-12-23 | 5.0 MEDIUM | 7.5 HIGH |
| mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character. | |||||
| CVE-2005-0453 | 1 Lighttpd | 1 Lighttpd | 2008-09-05 | 5.0 MEDIUM | N/A |
| The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension. | |||||