CVE-2013-1427 — Race Condition in Lighttpd

CWE-3105 documents5 sources

Severity

1.9LOWNVD

EPSS

0.0%

top 87.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lighttpd Debian Lighttpd

Timeline

PublishedMar 21

Latest updateMay 17

Description

The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition.

CVSS vector

AV:L/AC:M/C:N/I:P/A:NExploitability: 3.4 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/lighttpd< lighttpd 1.4.31-4 (bookworm)

▶Debianlighttpd/lighttpd< 1.4.31-4+3

▶NVDlighttpd/lighttpd1.4.27+23

🔴Vulnerability Details

GHSA

GHSA-4hqm-jw29-p8wm: The configuration file for the FastCGI PHP support for lighttpd before 1↗2022-05-17

▶

OSV

CVE-2013-1427: The configuration file for the FastCGI PHP support for lighttpd before 1↗2013-03-21

▶

CVEList

CVE-2013-1427: The configuration file for the FastCGI PHP support for lighttpd before 1↗2013-03-21

▶

📋Vendor Advisories

Debian

CVE-2013-1427: lighttpd - The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on...↗2013

▶