First published: Thu Jan 06 2022(Updated: )
In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/lighttpd | 1.4.53-4+deb10u2 1.4.53-4+deb10u3 1.4.59-1+deb11u2 1.4.69-1 | |
Lighttpd Lighttpd | >=1.4.46<=1.4.63 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2022-22707.
The severity of CVE-2022-22707 is medium.
The affected software is lighttpd version 1.4.46 through 1.4.63.
CVE-2022-22707 affects lighttpd by causing a stack-based buffer overflow in the mod_extforward plugin, resulting in a remote denial of service.
To fix CVE-2022-22707, you should update lighttpd to version 1.4.69-1 or apply the appropriate patches provided by the vendor.