CVE-2012-5533
First published: Sat Nov 24 2012(Updated: )
The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fipsasp Fipscms Light | =1.4.31 | |
| Fipsasp Fipscms Light | =1.4.32 |
Remedy
http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch
- http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt
- http://lists.opensuse.org/opensuse-updates/2012-11/msg00044.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00051.html
- http://marc.info/?l=bugtraq&m=141576815022399&w=2
- http://osvdb.org/87623
- http://packetstormsecurity.org/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html
- http://secunia.com/advisories/51268
- http://secunia.com/advisories/51298
- http://www.exploit-db.com/exploits/22902
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:100
- http://www.openwall.com/lists/oss-security/2012/11/21/1
- http://www.securityfocus.com/bid/56619
- http://www.securitytracker.com/id?1027802
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80213
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345
Frequently Asked Questions
What is the severity of CVE-2012-5533?
CVE-2012-5533 is classified as a denial of service vulnerability.
How do I fix CVE-2012-5533?
To fix CVE-2012-5533, upgrade to lighttpd version 1.4.32 or later.
What vulnerabilities are associated with CVE-2012-5533?
CVE-2012-5533 allows remote attackers to cause an infinite loop through malformed HTTP headers.
Is CVE-2012-5533 present in lighttpd version 1.4.31?
Yes, CVE-2012-5533 is present in lighttpd version 1.4.31.
What is the impact of CVE-2012-5533 on web servers?
The impact of CVE-2012-5533 on web servers is that it can lead to denial of service, rendering the server unresponsive.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/remedy
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/lighttpd
- canonical/fipsasp fipscms light
- version/fipsasp fipscms light/1.4.31
- version/fipsasp fipscms light/1.4.32