Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2010-0295 — Lighttpd vulnerability

CWE-3998 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

5.6%

top 9.70%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Lighttpd Debian Lighttpd

Timeline

PublishedFeb 3

Latest updateMay 2

Description

lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/lighttpd< lighttpd 1.4.26-1 (bookworm)

▶Debianlighttpd/lighttpd< 1.4.26-1+3

▶NVDlighttpd/lighttpd1.4.25+61

Patches

Patch: download.lighttpd.net ↗Patch: download.lighttpd.net ↗Patch: download.lighttpd.net ↗

🔴Vulnerability Details

GHSA

GHSA-x8r6-c7pf-w6m4: lighttpd before 1↗2022-05-02

▶

OSV

CVE-2010-0295: lighttpd before 1↗2010-02-03

▶

💥Exploits & PoCs

Exploit-DB

Mozilla Firefox - location.QueryInterface() Code Execution (Metasploit)↗2010-09-20

▶

Exploit-DB

lighttpd 1.4/1.5 - Slow Request Handling Remote Denial of Service↗2010-02-02

▶

📋Vendor Advisories

Debian

CVE-2010-0295: lighttpd - lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation th...↗2010

▶

Red Hat

lighttpd: Remote DoS (excessive memory use) by handling specially-crafted HTTP request↗

▶

💬Community

Bugzilla

CVE-2010-0295 lighttpd: Remote DoS (excessive memory use) by handling specially-crafted HTTP request↗2010-02-03

▶