CVE-2013-4508 — Inadequate Encryption Strength in Lighttpd

CWE-326 — Inadequate Encryption Strength8 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.8%

top 25.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lighttpd Debian Lighttpd Debian Linux +1 more

Timeline

PublishedNov 8

Latest updateDec 29

Description

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/lighttpd< lighttpd 1.4.33-1+nmu1 (bookworm)

▶Debianlighttpd/lighttpd< 1.4.33-1+nmu1+3

▶NVDlighttpd/lighttpd1.4.24 — 1.4.33

▶NVDopensuse/opensuse12.2, 12.3, 13.1+2

Also affects: Debian Linux 6.0, 7.0, 8.0

🔴Vulnerability Details

GHSA

GHSA-vfqw-83ww-jr3v: lighttpd before 1↗2022-05-13

▶

OSV

CVE-2013-4508: lighttpd before 1↗2013-11-08

▶

📋Vendor Advisories

Debian

CVE-2013-4508: lighttpd - lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which ...↗2013

▶

📄Research Papers

arXiv

One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29

▶

💬Community

Bugzilla

CVE-2013-4508 lighttpd: uses vulnerable cipher suites when SNI is used↗2013-11-05

▶

Bugzilla

CVE-2013-4508 lighttpd: uses vulnerable cipher suites when SNI is used [fedora-all]↗2013-11-05

▶

Bugzilla

CVE-2013-4508 lighttpd: uses vulnerable cipher suites when SNI is used [epel-all]↗2013-11-05

▶