CVE-2008-4298

EUVD-2008-4281
Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:N/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
lighttpdlighttpd
𝑥
≤ 1.4.19
lighttpdlighttpd
1.1.1
lighttpdlighttpd
1.1.2
lighttpdlighttpd
1.1.3
lighttpdlighttpd
1.1.4
lighttpdlighttpd
1.1.5
lighttpdlighttpd
1.1.6
lighttpdlighttpd
1.1.7
lighttpdlighttpd
1.1.8
lighttpdlighttpd
1.1.9
lighttpdlighttpd
1.2.1
lighttpdlighttpd
1.2.2
lighttpdlighttpd
1.2.3
lighttpdlighttpd
1.2.4
lighttpdlighttpd
1.2.5
lighttpdlighttpd
1.2.6
lighttpdlighttpd
1.2.7
lighttpdlighttpd
1.2.8
lighttpdlighttpd
1.3.0
lighttpdlighttpd
1.3.1
lighttpdlighttpd
1.3.2
lighttpdlighttpd
1.3.3
lighttpdlighttpd
1.3.4
lighttpdlighttpd
1.3.5
lighttpdlighttpd
1.3.6
lighttpdlighttpd
1.3.7
lighttpdlighttpd
1.3.8
lighttpdlighttpd
1.3.9
lighttpdlighttpd
1.3.10
lighttpdlighttpd
1.3.11
lighttpdlighttpd
1.3.12
lighttpdlighttpd
1.3.13
lighttpdlighttpd
1.3.14
lighttpdlighttpd
1.3.15
lighttpdlighttpd
1.3.16
lighttpdlighttpd
1.4.0
lighttpdlighttpd
1.4.1
lighttpdlighttpd
1.4.2
lighttpdlighttpd
1.4.3
lighttpdlighttpd
1.4.4
lighttpdlighttpd
1.4.5
lighttpdlighttpd
1.4.6
lighttpdlighttpd
1.4.7
lighttpdlighttpd
1.4.8
lighttpdlighttpd
1.4.9
lighttpdlighttpd
1.4.10
lighttpdlighttpd
1.4.11
lighttpdlighttpd
1.4.12
lighttpdlighttpd
1.4.13
lighttpdlighttpd
1.4.14
lighttpdlighttpd
1.4.15
lighttpdlighttpd
1.4.16
lighttpdlighttpd
1.4.17
lighttpdlighttpd
1.4.18
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
lighttpd
bookworm
1.4.69-1
fixed
bullseye
1.4.59-1+deb11u2
fixed
bullseye (security)
1.4.59-1+deb11u2
fixed
sid
1.4.76-1
fixed
trixie
1.4.76-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lighttpd
dapper
ignored
feisty
ignored
gutsy
ignored
hardy
Fixed 1.4.19-0ubuntu3.1
released
intrepid
ignored
jaunty
not-affected
karmic
not-affected
Common Weakness Enumeration
References
http://bugs.gentoo.org/show_bug.cgi?id=238180
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
http://secunia.com/advisories/32069
http://secunia.com/advisories/32132
http://secunia.com/advisories/32480
http://secunia.com/advisories/32834
http://secunia.com/advisories/32972
http://security.gentoo.org/glsa/glsa-200812-04.xml
http://trac.lighttpd.net/trac/changeset/2305
http://trac.lighttpd.net/trac/ticket/1774
http://wiki.rpath.com/Advisories:rPSA-2008-0309
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
http://www.debian.org/security/2008/dsa-1645
http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
http://www.openwall.com/lists/oss-security/2008/09/26/5
http://www.securityfocus.com/archive/1/497932/100/0/threaded
http://www.securityfocus.com/bid/31434
http://www.vupen.com/english/advisories/2008/2741
https://exchange.xforce.ibmcloud.com/vulnerabilities/45471
http://bugs.gentoo.org/show_bug.cgi?id=238180
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
http://secunia.com/advisories/32069
http://secunia.com/advisories/32132
http://secunia.com/advisories/32480
http://secunia.com/advisories/32834
http://secunia.com/advisories/32972
http://security.gentoo.org/glsa/glsa-200812-04.xml
http://trac.lighttpd.net/trac/changeset/2305
http://trac.lighttpd.net/trac/ticket/1774
http://wiki.rpath.com/Advisories:rPSA-2008-0309
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
http://www.debian.org/security/2008/dsa-1645
http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
http://www.openwall.com/lists/oss-security/2008/09/26/5
http://www.securityfocus.com/archive/1/497932/100/0/threaded
http://www.securityfocus.com/bid/31434
http://www.vupen.com/english/advisories/2008/2741
https://exchange.xforce.ibmcloud.com/vulnerabilities/45471