CVE-2013-4559

Published: Nov 20, 2013Modified: Apr 29, 2026

7.6

Vector

AV:N/AC:H/Au:N/C:C/I:C/A:C

Exploitability: 4.9 / Impact: 10.0

Source: NVD

Description

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.

Affected (7)

Products: Lighttpd: Lighttpd · Debian: Debian Linux · Opensuse: Opensuse

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lighttpd Lighttpd	Before 1.4.33

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 6.0
Debian Debian Linux	Version 7.0
Debian Debian Linux	Version 8.0

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Opensuse Opensuse	Version 12.2
Opensuse Opensuse	Version 12.3
Opensuse Opensuse	Version 13.1

Related CWEs

References (16)

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt

Source: secalert@redhat.com

Vendor Advisory

http://jvn.jp/en/jp/JVN37417423/index.html

Source: secalert@redhat.com

Third Party Advisory

http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=141576815022399&w=2

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

http://secunia.com/advisories/55682

Source: secalert@redhat.com

Third Party Advisory

http://www.openwall.com/lists/oss-security/2013/11/12/4

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://kc.mcafee.com/corporate/index?page=content&id=SB10310

Source: secalert@redhat.com

Third Party Advisory

https://www.debian.org/security/2013/dsa-2795

Source: secalert@redhat.com

Third Party Advisory

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://jvn.jp/en/jp/JVN37417423/index.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=141576815022399&w=2

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

http://secunia.com/advisories/55682

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

http://www.openwall.com/lists/oss-security/2013/11/12/4

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://kc.mcafee.com/corporate/index?page=content&id=SB10310

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2013/dsa-2795

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.