CVE-2022-37797 — NULL Pointer Dereference in Lighttpd

CWE-476 — NULL Pointer Dereference6 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.4%

top 19.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lighttpd Debian Linux

Timeline

PublishedSep 12

Latest updateFeb 15

Description

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Debianlighttpd/lighttpd< 1.4.59-1+deb11u2+3

▶NVDlighttpd/lighttpd1.4.65

Also affects: Debian Linux 10.0

🔴Vulnerability Details

GHSA

GHSA-cm5p-p299-9f4g: In lighttpd 1↗2022-09-13

▶

CVEList

CVE-2022-37797: In lighttpd 1↗2022-09-12

▶

OSV

CVE-2022-37797: In lighttpd 1↗2022-09-12

▶

📋Vendor Advisories

CISA ICS

Siemens SCALANCE XCM-/XRM-300↗2024-02-15

▶

Debian

CVE-2022-37797: lighttpd - In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer ...↗2022

▶