PT-2014-9113 · Opensuse+3 · Lighttpd+2

Jann Horn

·

Publicado

1970-01-01

·

Atualizado

2024-06-15

·

CVE-2014-2323

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions lighttpd versions prior to 1.4.35
Description The issue concerns multiple vulnerabilities in the lighttpd package of the openSUSE operating system, which can lead to breaches of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. A specific vulnerability is a SQL injection issue in mod mysql vhost.c, allowing remote attackers to execute arbitrary SQL commands via the host name, related to request check hostname.
Recommendations For lighttpd versions prior to 1.4.35, update to version 1.4.35 or later to resolve the issue. As a temporary workaround, consider restricting access to the mod mysql vhost.c module to minimize the risk of exploitation. Avoid using the host name in the request check hostname function until the issue is resolved.

Exploit

Correção

RCE

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

ALT-PU-2014-1428
BDU:2015-05887
BDU:2015-05888
BDU:2015-05889
BDU:2015-05890
BDU:2015-05891
BDU:2015-05892
BDU:2015-05893
BDU:2015-05894
BDU:2015-05895
BDU:2015-05896
BDU:2015-05897
BDU:2015-05898
BDU:2015-05899
CVE-2014-2323
DSA-2877-1
MGASA-2014-0133
OPENSUSE-SU-2014_0449-1
OPENSUSE-SU-2014_0496-1
OPENSUSE-SU-2024:10402-1
SUSE-SU-2014_0474-1

Produtos afetados

Alt Linux
Lighttpd
Suse