CVE-2022-30780 - Lighttpd - Denial of Service
- Title : Lighttpd - Denial of Service
- Author : @podalirius_
- CVSS : 7.5 (High)
- CVSS Vector :
Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.
The following versions of lighttpd are vulnerable:
On a vulnerable version, If an unauthenticated attacker sends too many requests exceeding the maximum URL size, every connection opened does not get closed and the server stop accepting new connections.
Here is a demonstration with:
- Top screen: A simple python exploit, sending GET requests exceeding the maximum URL size
- Bottom screen: A lighttpd server, version 1.4.56
In order to patch this vulnerability you need to update lighttpd to a version greater than 1.4.59.