CVE-2022-41556 : A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.

Published 2022-10-06 18:17:04

Updated 2022-12-03 01:14:38

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2022-41556

Lighttpd » Lighttpd
Versions from including (>=) 1.4.56 and before (<) 1.4.67
cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2022-41556

Top countries where our scanners detected CVE-2022-41556

Top open port discovered on systems with this issue 443

IPs affected by CVE-2022-41556 212,744

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2022-41556!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2022-41556

EPSS FAQ

0.45%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 61 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-41556

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-41556

CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-41556

https://github.com/lighttpd/lighttpd1.4/pull/115

[core] release connections in CLOSE_WAIT & CON_STATE_READ_POST state by gmd20 · Pull Request #115 · lighttpd/lighttpd1.4 · GitHub
Exploit;Issue Tracking;Third Party Advisory
https://github.com/lighttpd/lighttpd1.4/compare/lighttpd-1.4.66...lighttpd-1.4.67

Comparing lighttpd-1.4.66...lighttpd-1.4.67 · lighttpd/lighttpd1.4 · GitHub
Third Party Advisory
https://security.gentoo.org/glsa/202210-12

Lighttpd: Denial of Service (GLSA 202210-12) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50

[core] handle RDHUP when collecting chunked body · b18de6f926 - lighttpd1.4 - Gitea: git hosting on git.lighttpd.net
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/

[SECURITY] Fedora 35 Update: lighttpd-1.4.67-1.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory