CVE-2008-4298

Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:N/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
lighttpdlighttpd
𝑥
≤ 1.4.19
lighttpdlighttpd
1.1.1
lighttpdlighttpd
1.1.2
lighttpdlighttpd
1.1.3
lighttpdlighttpd
1.1.4
lighttpdlighttpd
1.1.5
lighttpdlighttpd
1.1.6
lighttpdlighttpd
1.1.7
lighttpdlighttpd
1.1.8
lighttpdlighttpd
1.1.9
lighttpdlighttpd
1.2.1
lighttpdlighttpd
1.2.2
lighttpdlighttpd
1.2.3
lighttpdlighttpd
1.2.4
lighttpdlighttpd
1.2.5
lighttpdlighttpd
1.2.6
lighttpdlighttpd
1.2.7
lighttpdlighttpd
1.2.8
lighttpdlighttpd
1.3.0
lighttpdlighttpd
1.3.1
lighttpdlighttpd
1.3.2
lighttpdlighttpd
1.3.3
lighttpdlighttpd
1.3.4
lighttpdlighttpd
1.3.5
lighttpdlighttpd
1.3.6
lighttpdlighttpd
1.3.7
lighttpdlighttpd
1.3.8
lighttpdlighttpd
1.3.9
lighttpdlighttpd
1.3.10
lighttpdlighttpd
1.3.11
lighttpdlighttpd
1.3.12
lighttpdlighttpd
1.3.13
lighttpdlighttpd
1.3.14
lighttpdlighttpd
1.3.15
lighttpdlighttpd
1.3.16
lighttpdlighttpd
1.4.0
lighttpdlighttpd
1.4.1
lighttpdlighttpd
1.4.2
lighttpdlighttpd
1.4.3
lighttpdlighttpd
1.4.4
lighttpdlighttpd
1.4.5
lighttpdlighttpd
1.4.6
lighttpdlighttpd
1.4.7
lighttpdlighttpd
1.4.8
lighttpdlighttpd
1.4.9
lighttpdlighttpd
1.4.10
lighttpdlighttpd
1.4.11
lighttpdlighttpd
1.4.12
lighttpdlighttpd
1.4.13
lighttpdlighttpd
1.4.14
lighttpdlighttpd
1.4.15
lighttpdlighttpd
1.4.16
lighttpdlighttpd
1.4.17
lighttpdlighttpd
1.4.18
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
lighttpd
bullseye (security)
1.4.59-1+deb11u2
fixed
bullseye
1.4.59-1+deb11u2
fixed
bookworm
1.4.69-1
fixed
sid
1.4.76-1
fixed
trixie
1.4.76-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lighttpd
karmic
not-affected
jaunty
not-affected
intrepid
ignored
hardy
Fixed 1.4.19-0ubuntu3.1
released
gutsy
ignored
feisty
ignored
dapper
ignored
Common Weakness Enumeration
References
http://bugs.gentoo.org/show_bug.cgi?id=238180
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
http://secunia.com/advisories/32069
http://secunia.com/advisories/32132
http://secunia.com/advisories/32480
http://secunia.com/advisories/32834
http://secunia.com/advisories/32972
http://security.gentoo.org/glsa/glsa-200812-04.xml
http://trac.lighttpd.net/trac/changeset/2305
http://trac.lighttpd.net/trac/ticket/1774
http://wiki.rpath.com/Advisories:rPSA-2008-0309
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
http://www.debian.org/security/2008/dsa-1645
http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
http://www.openwall.com/lists/oss-security/2008/09/26/5
http://www.securityfocus.com/archive/1/497932/100/0/threaded
http://www.securityfocus.com/bid/31434
http://www.vupen.com/english/advisories/2008/2741
https://exchange.xforce.ibmcloud.com/vulnerabilities/45471
http://bugs.gentoo.org/show_bug.cgi?id=238180
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
http://secunia.com/advisories/32069
http://secunia.com/advisories/32132
http://secunia.com/advisories/32480
http://secunia.com/advisories/32834
http://secunia.com/advisories/32972
http://security.gentoo.org/glsa/glsa-200812-04.xml
http://trac.lighttpd.net/trac/changeset/2305
http://trac.lighttpd.net/trac/ticket/1774
http://wiki.rpath.com/Advisories:rPSA-2008-0309
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309
http://www.debian.org/security/2008/dsa-1645
http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
http://www.openwall.com/lists/oss-security/2008/09/26/5
http://www.securityfocus.com/archive/1/497932/100/0/threaded
http://www.securityfocus.com/bid/31434
http://www.vupen.com/english/advisories/2008/2741
https://exchange.xforce.ibmcloud.com/vulnerabilities/45471