CVE-2022-37797

Published: Sep 12, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.

Affected (2)

Products: Lighttpd: Lighttpd · Debian: Debian Linux

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lighttpd Lighttpd	Version 1.4.65

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Related CWEs

NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

References (8)

https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://redmine.lighttpd.net/issues/3165

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://security.gentoo.org/glsa/202210-12

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2022/dsa-5243

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://redmine.lighttpd.net/issues/3165

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://security.gentoo.org/glsa/202210-12

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2022/dsa-5243

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.