Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-4362Lighttpd vulnerability

10 documents7 sources
Severity
5.0MEDIUMNVD
EPSS
4.4%
top 10.98%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
LighttpdDebian LighttpdDebian Linux
Timeline
PublishedDec 24
Latest updateDec 29

Description

Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

debiandebian/lighttpd< lighttpd 1.4.30-1 (bookworm)
NVDlighttpd/lighttpd1.4.11.4.30+1
Debianlighttpd/lighttpd< 1.4.30-1+3

Also affects: Debian Linux 5.0, 6.0, 7.0

Patches

Patch: download.lighttpd.netPatch: redmine.lighttpd.netPatch: www.openwall.com

🔴Vulnerability Details

2
GHSA
GHSA-wx9r-x448-8rcp: Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth2022-05-13
OSV
CVE-2011-4362: Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth2011-12-24

💥Exploits & PoCs

1
Exploit-DB
lighttpd - Denial of Service (PoC)2011-12-31

📋Vendor Advisories

1
Debian
CVE-2011-4362: lighttpd - Integer signedness error in the base64_decode function in the HTTP authenticatio...2011

📄Research Papers

2
arXiv
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware2022-12-29
arXiv
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response2017-11-02

💬Community

3
Bugzilla
CVE-2011-4362 lighttpd: Out of bounds read due to a signedness error (DoS, crash) [epel-all]2011-11-30
Bugzilla
CVE-2011-4362 lighttpd: Out of bounds read due to a signedness error (DoS, crash)2011-11-30
Bugzilla
CVE-2011-4362 lighttpd: Out of bounds read due to a signedness error (DoS, crash) [fedora-all]2011-11-30