CVE-2022-30780 - Lighttpd - Denial of Service

May 16, 2022   
cve denial-of-service unauthenticated 
Also available in:  🇫🇷 

Summary

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.

Vulnerable versions

The following versions of lighttpd are vulnerable:

Software Version Vulnerable
Lighttpd 1.4.58 Yes ✅
Lighttpd 1.4.57 Yes ✅
Lighttpd 1.4.56 Yes ✅

Exploitation

On a vulnerable version, If an unauthenticated attacker sends too many requests exceeding the maximum URL size, every connection opened does not get closed and the server stop accepting new connections.

Demonstration

Here is a demonstration with:

Mitigations

In order to patch this vulnerability you need to update lighttpd to a version greater than 1.4.59.

References