Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-5533Infinite Loop in Lighttpd

CWE-39910 documents8 sources
Severity
5.0MEDIUMNVD
EPSS
37.9%
top 2.78%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
LighttpdDebian Lighttpd
Timeline
PublishedNov 24
Latest updateMay 17

Description

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

debiandebian/lighttpd< lighttpd 1.4.31-2 (bookworm)
Debianlighttpd/lighttpd< 1.4.31-2+3
NVDlighttpd/lighttpd1.4.31, 1.4.32+1

Patches

Patch: download.lighttpd.netPatch: download.lighttpd.net

🔴Vulnerability Details

3
GHSA
GHSA-v87j-h4pq-fh3j: The http_request_split_value function in request2022-05-17
CVEList
CVE-2012-5533: The http_request_split_value function in request2012-11-24
OSV
CVE-2012-5533: The http_request_split_value function in request2012-11-24

💥Exploits & PoCs

1
Exploit-DB
lighttpd 1.4.31 - Denial of Service (PoC)2012-11-22

📋Vendor Advisories

1
Debian
CVE-2012-5533: lighttpd - The http_request_split_value function in request.c in lighttpd before 1.4.32 all...2012

📄Research Papers

1
arXiv
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response2017-11-02

💬Community

3
Bugzilla
CVE-2012-5533 lighttpd: Denial of Service via malformed Connection headers [epel-all]2012-11-21
Bugzilla
CVE-2012-5533 lighttpd: Denial of Service via malformed Connection headers [fedora-all]2012-11-21
Bugzilla
CVE-2012-5533 lighttpd: Denial of Service via malformed Connection headers2012-11-19