Vulnerability Details : CVE-2012-5533
The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.
Vulnerability category: Denial of service
Products affected by CVE-2012-5533
- cpe:2.3:a:lighttpd:lighttpd:1.4.32:*:*:*:*:*:*:*
- cpe:2.3:a:lighttpd:lighttpd:1.4.31:*:*:*:*:*:*:*
Threat overview for CVE-2012-5533
Top countries where our scanners detected CVE-2012-5533
Top open port discovered on systems with this issue
80
IPs affected by CVE-2012-5533 218,387
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2012-5533!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2012-5533
66.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-5533
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2012-5533
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-5533
-
http://www.openwall.com/lists/oss-security/2012/11/21/1
oss-security - lighttpd 1.4.32 released, fixing CVE-2012-5533
-
http://www.securitytracker.com/id?1027802
lighttpd Connection Header Processing Flaw Lets Remote Users Deny Service - SecurityTracker
-
http://www.exploit-db.com/exploits/22902
lighttpd 1.4.31 - Denial of Service (PoC) - Linux dos ExploitExploit
-
http://marc.info/?l=bugtraq&m=141576815022399&w=2
'[security bulletin] HPSBGN03191 rev.1 - HP Remote Device Access: Virtual Customer Access System (vCA' - MARC
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:100
mandriva.com
-
http://www.securityfocus.com/bid/56619
lighttpd 'http_request_split_value()' Function Remote Denial of Service VulnerabilityExploit
-
http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch
Patch
-
http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html
openSUSE-SU-2012:1532-1: moderate: lighttpd
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/80213
lighttpd http_request_split_value() denial of service CVE-2012-5533 Vulnerability Report
-
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345
Support/Advisories/MGASA-2012-0345 - Mageia wiki
-
http://packetstormsecurity.org/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html
Simple Lighttpd 1.4.31 Denial Of Service ≈ Packet Storm
-
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt
Vendor Advisory
-
http://lists.opensuse.org/opensuse-updates/2014-01/msg00051.html
openSUSE-SU-2014:0074-1: moderate: update for lighttpd to 1.4.32
Jump to