In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.
Advisories
Source ID Title
Debian DLA Debian DLA DLA-3133-1 lighttpd security update
Debian DSA Debian DSA DSA-5243-1 lighttpd security update
EUVD EUVD EUVD-2022-40406 In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-03T10:37:41.657Z

Reserved: 2022-08-08T00:00:00

Link: CVE-2022-37797

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-09-12T15:15:08.170

Modified: 2024-11-21T07:15:11.137

Link: CVE-2022-37797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.