CVE-2007-3946 — Missing Release of Memory after Effective Lifetime in Lighttpd

5 documents5 sources

Severity

6.4MEDIUMNVD

EPSS

4.7%

top 10.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lighttpd Debian Lighttpd

Timeline

PublishedJul 24

Latest updateMay 1

Description

mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header.

CVSS vector

AV:N/AC:L/C:P/I:N/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages3 packages

▶debiandebian/lighttpd< lighttpd 1.4.16-1 (bookworm)

▶Debianlighttpd/lighttpd< 1.4.16-1+3

▶NVDlighttpd/lighttpd1.4.15

Patches

Patch: secunia.com ↗Patch: secunia.com ↗

🔴Vulnerability Details

GHSA

GHSA-2xvj-x73g-2j9w: mod_auth (http_auth↗2022-05-01

▶

OSV

CVE-2007-3946: mod_auth (http_auth↗2007-07-24

▶

📋Vendor Advisories

Debian

CVE-2007-3946: lighttpd - mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to caus...↗2007

▶

💬Community

Bugzilla

CVE-2007-394{6-9} lighttpd 1.4.15 multiple vulnerabilities↗2007-07-21

▶