Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-5533

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2012-5533
Last Modified 06 Feb 2014 11:43:30
Published 24 Nov 2012 03:55:04
Confidentiality Impact NONE NONE
Integrity Impact NONE NONE
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2012-5533

Summary

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.

Vulnerable Systems

Application

  • Lighttpd 1.4.31

  • Lighttpd 1.4.32


References

SECTRACK - 1027802

BID - 56619

MLIST - [oss-security] 20121121 lighttpd 1.4.32 released, fixing CVE-2012-5533

EXPLOIT-DB - 22902

SECUNIA - 51298

SECUNIA - 51268

OSVDB - 87623

SUSE - openSUSE-SU-2012:1532

CONFIRM - http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt

MISC - http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch

XF - lighttpd-httprequestsplitvalue-dos(80213)

MISC - http://packetstormsecurity.org/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html

SUSE - openSUSE-SU-2014:0074

CONFIRM - https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345

MANDRIVA - MDVSA-2013:100


Last Updated: 27 May 2016 10:58:30