[Debian] CVE: CVE-2022-37797: lighttpd : null pointer dereference
Bug #1997327 reported by
Yue Tao
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Zhixiong Chi |
Bug Description
CVE-2022-37797: https:/
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.
Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-37797 fixed 7.5 N L N N H
References:
https:/
Found during November 2022 CVE scan using vulscan
CVE References
Changed in starlingx: | |
importance: | Undecided → Medium |
assignee: | nobody → Zhixiong Chi (zhixiongchi) |
status: | New → Triaged |
information type: | Public → Public Security |
tags: | added: stx.8.0 stx.security |
Changed in starlingx: | |
status: | Triaged → In Progress |
To post a comment you must log in.
Fix proposed to branch: master /review. opendev. org/c/starlingx /integ/ +/865430
Review: https:/