Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Lighttpd Subscribe
Total 34 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2007-3949 1 Lighttpd 1 Lighttpd 2018-10-15 8.3 HIGH N/A
mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings.
CVE-2007-3948 1 Lighttpd 1 Lighttpd 2018-10-15 4.3 MEDIUM N/A
connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts.
CVE-2007-3947 1 Lighttpd 1 Lighttpd 2018-10-15 5.8 MEDIUM N/A
request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fault.
CVE-2007-3946 1 Lighttpd 1 Lighttpd 2018-10-15 6.4 MEDIUM N/A
mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header.
CVE-2007-3950 1 Lighttpd 1 Lighttpd 2018-10-15 4.3 MEDIUM N/A
lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules.
CVE-2008-4298 1 Lighttpd 1 Lighttpd 2018-10-11 5.0 MEDIUM N/A
Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers.
CVE-2008-1270 1 Lighttpd 1 Lighttpd 2018-10-11 5.0 MEDIUM N/A
mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.
CVE-2008-1111 1 Lighttpd 1 Lighttpd 2018-10-11 5.0 MEDIUM N/A
mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information.
CVE-2013-1427 2 Debian, Lighttpd 2 Debian Linux, Lighttpd 2017-08-28 1.9 LOW N/A
The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition.
CVE-2012-5533 1 Lighttpd 1 Lighttpd 2017-08-28 5.0 MEDIUM N/A
The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.
CVE-2010-0295 1 Lighttpd 1 Lighttpd 2017-08-16 5.0 MEDIUM N/A
lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate.
CVE-2006-0760 1 Lighttpd 1 Lighttpd 2017-07-19 2.6 LOW N/A
LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected capitalization, as demonstrated by a request for index.PHP when the configuration invokes the PHP interpreter only for ".php" names.
CVE-2015-3200 3 Hp, Lighttpd, Oracle 3 Virtual Customer Access System, Lighttpd, Solaris 2016-12-23 5.0 MEDIUM 7.5 HIGH
mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.
CVE-2005-0453 1 Lighttpd 1 Lighttpd 2008-09-05 5.0 MEDIUM N/A
The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension.