Debian Lighttpd vulnerabilities

CVE-2025-12642 [MEDIUM] CVE-2025-12642: lighttpd - lighttpd1.4.80 incorrectly merged trailer fields into headers after http request... lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some c

CVE-2022-41556 [HIGH] CVE-2022-41556: lighttpd - A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to ... A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67. Scope: local bookworm: resolved (

CVE-2022-37797 [HIGH] CVE-2022-37797: lighttpd - In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer ... In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition. Scope: local bookworm: resolved (fixed in 1.4.66-1) bullseye: resolved (fixed in 1.

CVE-2022-30780 [HIGH] CVE-2022-30780: lighttpd - Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of ser... Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers. Scope: local bookworm: resolved (fixed in 1.4.59-1) bullseye: resolved (fixed in 1.4.59-1) forky: resolved (fixed

CVE-2022-22707 [MEDIUM] CVE-2022-22707: lighttpd - In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the ... In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 3

CVE-2019-11072 [CRITICAL] CVE-2019-11072: lighttpd - lighttpd before 1.4.54 has a signed integer overflow, which might allow remote a... lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to c

CVE-2018-19052 [HIGH] CVE-2018-19052: lighttpd - An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd... An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character. Scope: local bookwo

CVE-2018-25103 [MEDIUM] CVE-2018-25103: lighttpd - There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsin... There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests. Scope: local bookworm: resolved (fixed in 1.4.52-1) bullseye: resolved (fixed in 1.4.52-1) forky: resolved (fixed in 1.4.52-1) sid: resolved (fixed in 1.4.52-1) trixie: resolved (fixe

CVE-2016-1000212 CVE-2016-1000212: lighttpd bookworm: resolved (fixed in 1.4.43-1) bullseye: resolved (fixed in 1.4.43-1) forky: resolved (fixed in 1.4.43-1) sid: resolved (fixed in 1.4.43-1) trixie: resolved (fixed in 1.4.43-1)

CVE-2015-3200 [HIGH] CVE-2015-3200: lighttpd - mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary l... mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character. Scope: local bookworm: resolved (fixed in 1.4.37-1) bullseye: resolved (fixed in 1.4.37-1) forky: resolved (fixed in 1.4.37-1) sid: resolved (

CVE-2014-2323 [CRITICAL] CVE-2014-2323: lighttpd - SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allow... SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. Scope: local bookworm: resolved (fixed in 1.4.33-1+nmu3) bullseye: resolved (fixed in 1.4.33-1+nmu3) forky: resolved (fixed in 1.4.33-1+nmu3) sid: resolved (fixed in 1.4.33-1+nmu

CVE-2014-2324 [MEDIUM] CVE-2014-2324: lighttpd - Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simpl... Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname. Scope: local bookworm: resolved (fixed in 1.4.33-1+nmu3) bullseye: resolved (fixed in 1.4.33-1+nmu3) forky: resolved (fixed in 1.4.33-

CVE-2014-3566 [LOW] CVE-2014-3566: bouncycastle - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses... The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2014-2469 [MEDIUM] CVE-2014-2469: lighttpd - Unspecified vulnerability in lighttpd in Oracle Solaris 11.1 allows attackers to... Unspecified vulnerability in lighttpd in Oracle Solaris 11.1 allows attackers to cause a denial of service via unknown vectors. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2013-4559 [HIGH] CVE-2013-4559: lighttpd - lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) se... lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached. Scope: local bookworm: r

CVE-2013-4508 [HIGH] CVE-2013-4508: lighttpd - lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which ... lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network. Scope: local bookworm: resolved (fixed in 1.4.33-1+nmu1) bullseye: resolved (fixed in 1.4.33-1+nmu1) forky: resolved (fi

CVE-2013-4560 [MEDIUM] CVE-2013-4560: lighttpd - Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers t... Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures. Scope: local bookworm: resolved (fixed in 1.4.33-1+nmu1) bullseye: resolved (fixed in 1.4.33-1+nmu1) forky: resolved (fixed in 1.4.33-1+nmu1) sid: resolved (fixe

CVE-2013-1427 [LOW] CVE-2013-1427: lighttpd - The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on... The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition. Scope: local bookworm: resolve

CVE-2012-5533 [MEDIUM] CVE-2012-5533: lighttpd - The http_request_split_value function in request.c in lighttpd before 1.4.32 all... The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header. Scope: local bookworm: resolved (fixed in 1.4.31-2) bullseye: resolved (fixed in 1.4.31-2) forky: resol

CVE-2012-4929 [LOW] CVE-2012-4929: apache2 - The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt,... The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potenti