CVE-2015-3200Injection in Lighttpd

CWE-74Injection10 documents7 sources
Severity
7.5HIGHNVD
EPSS
20.0%
top 4.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LighttpdHP Virtual Customer Access SystemOracle Solaris
Timeline
PublishedJun 9
Latest updateMay 17

Description

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

Debianlighttpd/lighttpd< 1.4.37-1+3
Ubuntulighttpd/lighttpd< 1.4.33-1+nmu2ubuntu2.1+esm1+2
NVDlighttpd/lighttpd1.4.35
NVDoracle/solaris11.3

🔴Vulnerability Details

4
GHSA
GHSA-fxx4-pv62-6956: mod_auth in lighttpd before 12022-05-17
OSV
lighttpd vulnerabilities2021-03-15
CVEList
CVE-2015-3200: mod_auth in lighttpd before 12015-06-09
OSV
CVE-2015-3200: mod_auth in lighttpd before 12015-06-09

📋Vendor Advisories

2
Ubuntu
Lighttpd vulnerabilities2021-03-15
Debian
CVE-2015-3200: lighttpd - mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary l...2015

💬Community

3
Bugzilla
CVE-2015-3200 lighttpd: log injection via malformed base64 string in Authentication header2015-05-26
Bugzilla
CVE-2015-3200 lighttpd: log injection via malformed base64 string in Authentication header [fedora-all]2015-05-26
Bugzilla
CVE-2015-3200 lighttpd: log injection via malformed base64 string in Authentication header [epel-all]2015-05-26
CVE-2015-3200 — Injection in Lighttpd | cvebase