CVE-2022-41556

Name
CVE-2022-41556
Description
A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/lighttpd/lighttpd1.4/pull/115
MISC https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50
MISC https://github.com/lighttpd/lighttpd1.4/compare/lighttpd-1.4.66...lighttpd-1.4.67
GENTOO https://security.gentoo.org/glsa/202210-12
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:* lighttpd >= 1.4.56 < 1.4.67

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
lighttpd 3.16-main 1.4.64-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
lighttpd 3.15-main 1.4.64-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
lighttpd 3.14-main 1.4.64-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
lighttpd 3.13-main 1.4.64-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
lighttpd 3.17-main 1.4.67-r0 Natanael Copa <ncopa@alpinelinux.org> fixed