PT-2014-9113 · Opensuse+3 · Lighttpd+2

Jann Horn

Published

1970-01-01

Updated

2024-06-15

CVE-2014-2323

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions lighttpd versions prior to 1.4.35

Description The issue concerns multiple vulnerabilities in the lighttpd package of the openSUSE operating system, which can lead to breaches of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. A specific vulnerability is a SQL injection issue in mod mysql vhost.c, allowing remote attackers to execute arbitrary SQL commands via the host name, related to request check hostname.

Recommendations For lighttpd versions prior to 1.4.35, update to version 1.4.35 or later to resolve the issue. As a temporary workaround, consider restricting access to the mod mysql vhost.c module to minimize the risk of exploitation. Avoid using the host name in the request check hostname function until the issue is resolved.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2014-1428

BDU:2015-05887

BDU:2015-05888

BDU:2015-05889

BDU:2015-05890

BDU:2015-05891

BDU:2015-05892

BDU:2015-05893

BDU:2015-05894

BDU:2015-05895

BDU:2015-05896

BDU:2015-05897

BDU:2015-05898

BDU:2015-05899

CVE-2014-2323

DSA-2877-1

MGASA-2014-0133

OPENSUSE-SU-2014_0449-1

OPENSUSE-SU-2014_0496-1

OPENSUSE-SU-2024:10402-1

SUSE-SU-2014_0474-1

Affected Products

Alt Linux

Lighttpd

Suse

PT-2014-9113 · Opensuse+3 · Lighttpd+2

CVE-2014-2323

Weakness Enumeration

Related Identifiers

Affected Products

References · 64