PT-2011-4943 · Lighttpd+1 · Lighttpd+1

Jan Lieskovsky

Published

2011-12-24

Updated

2024-06-15

CVE-2011-4362

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions lighttpd versions 1.4 before 1.4.30 lighttpd versions 1.5 before SVN revision 2806

Description The issue is caused by an integer signedness error in the base64 decode function within the HTTP authentication functionality. This error allows remote attackers to trigger a denial of service, resulting in a segmentation fault, by providing crafted base64 input that causes an out-of-bounds read with a negative index.

Recommendations For lighttpd versions 1.4 before 1.4.30, update to version 1.4.30 or later. For lighttpd versions 1.5 before SVN revision 2806, update to SVN revision 2806 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2011-4362

DSA-2368-1

OPENSUSE-SU-2024:10402-1

SUSE-SU-2012_0201-1

SUSE-SU-2012_0201-2

Affected Products

Lighttpd

Suse

PT-2011-4943 · Lighttpd+1 · Lighttpd+1

CVE-2011-4362

Related Identifiers

Affected Products

References · 39