cbcvebase.
CVE-2013-4559
published 2013-11-20

CVE-2013-4559: lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if…

PriorityP349high7.6CVSS 2.0
AVNACHAuNCCICAC
EPSS
10.72%
95.3th percentile
lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.

Affected

12 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianlighttpd< lighttpd 1.4.33-1+nmu1 (bookworm)lighttpd 1.4.33-1+nmu1 (bookworm)
lighttpdlighttpd< 1.4.331.4.33
lighttpdlighttpd>= 0 < 1.4.33-1+nmu11.4.33-1+nmu1
lighttpdlighttpd>= 0 < 1.4.33-1+nmu11.4.33-1+nmu1
lighttpdlighttpd>= 0 < 1.4.33-1+nmu11.4.33-1+nmu1
lighttpdlighttpd>= 0 < 1.4.33-1+nmu11.4.33-1+nmu1
opensuseopensuse
opensuseopensuse
opensuseopensuse

CVSS provenance

nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
osv7.6HIGH
vendor_debian7.6HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.