CVE-2022-30780 - Lighttpd - Denial of Service
May 16, 2022
cve denial-of-service unauthenticated
Also available in: 🇫🇷
- Title : Lighttpd - Denial of Service
- Author : @podalirius_
- CVSS : 7.5 (High)
- CVSS Vector :
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.
Vulnerable versions
The following versions of lighttpd are vulnerable:
| Software | Version | Vulnerable |
|---|---|---|
| Lighttpd | 1.4.58 | Yes ✅ |
| Lighttpd | 1.4.57 | Yes ✅ |
| Lighttpd | 1.4.56 | Yes ✅ |
Exploitation
On a vulnerable version, If an unauthenticated attacker sends too many requests exceeding the maximum URL size, every connection opened does not get closed and the server stop accepting new connections.
Demonstration
Here is a demonstration with:
- Top screen: A simple python exploit, sending GET requests exceeding the maximum URL size
- Bottom screen: A lighttpd server, version 1.4.56
Mitigations
In order to patch this vulnerability you need to update lighttpd to a version greater than 1.4.59.