[Debian] CVE: CVE-2022-41556/CVE-2022-30780: Lighttpd : multiple CVEs Edit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Won't Fix
|
Medium
|
Yue Tao |
Bug Description
CVE-2022-41556: [https:/
A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.
CVE-2022-30780: [https:/
Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_
Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-41556 fixed 7.5 N L N N H
CVE-2022-30780 fixed 7.5 N L N N H
References:
https:/
https:/
[lighttpd_
CVE-2022-41556: introduced by: https:/ /github. com/lighttpd/ lighttpd1. 4/commit/ bcddbe186f010e2 964f7551141c0b8 350b36817d, which isn't in current version.
CVE-2022-30780: introduced by: https:/ /github. com/lighttpd/ lighttpd1. 4/commit/ ec2ff2c6ae70f15 0cfb7e35b77344c 16af87c862, which isn't in current version