CVE-2008-4298 — Missing Release of Memory after Effective Lifetime in Lighttpd

CWE-399 CWE-401 — Missing Release of Memory after Effective Lifetime10 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

2.6%

top 14.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lighttpd Debian Lighttpd

Timeline

PublishedSep 27

Latest updateMay 2

Description

Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/lighttpd< lighttpd 1.4.19-5 (bookworm)

▶Debianlighttpd/lighttpd< 1.4.19-5+3

▶NVDlighttpd/lighttpd1.4.19+53

Patches

Patch: trac.lighttpd.net ↗Patch: trac.lighttpd.net ↗

🔴Vulnerability Details

GHSA

GHSA-w6pj-53xr-3hq6: Memory leak in the http_request_parse function in request↗2022-05-02

▶

OSV

CVE-2008-4298: Memory leak in the http_request_parse function in request↗2008-09-27

▶

📋Vendor Advisories

Red Hat

lighttpd: memory leak http_request_parse() in request.c↗2008-09-20

▶

Debian

CVE-2008-4298: lighttpd - Memory leak in the http_request_parse function in request.c in lighttpd before 1...↗2008

▶

💬Community

Bugzilla

CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 lighttpd: multiple security issues [Fedora 8]↗2008-09-29

▶

Bugzilla

CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 lighttpd: multiple security issues [epel-4]↗2008-09-29

▶

Bugzilla

CVE-2008-4298 lighttpd: memory leak http_request_parse() in request.c↗2008-09-29

▶

Bugzilla

CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 lighttpd: multiple security issues [epel-5]↗2008-09-29

▶

Bugzilla

CVE-2008-4298 CVE-2008-4359 CVE-2008-4360 lighttpd: multiple security issues [Fedora 9]↗2008-09-29

▶