CVE-2013-4508
HIGHlighttpd 1.4.24-1.4.33 - Inadequate Encryption Strength in SNI Configuration
Title source: llmDescription
lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.
References (8)
Core 8
Core References
Exploit, Mitigation, Vendor Advisory x_refsource_confirm
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2013/11/04/19
Issue Tracking, Third Party Advisory vendor-advisory
x_refsource_hp
http://marc.info/?l=bugtraq&m=141576815022399&w=2
Issue Tracking, Vendor Advisory x_refsource_confirm
http://redmine.lighttpd.net/issues/2525
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2013/dsa-2795
Broken Link x_refsource_confirm
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913/diff/
Third Party Advisory third-party-advisory
x_refsource_jvn
http://jvn.jp/en/jp/JVN37417423/index.html
Scores
CVSS v3
7.5
EPSS
0.0263
EPSS Percentile
83.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-326
Status
published
Products (7)
debian/debian_linux
6.0
debian/debian_linux
7.0
debian/debian_linux
8.0
lighttpd/lighttpd
1.4.24 - 1.4.33
opensuse/opensuse
12.2
opensuse/opensuse
12.3
opensuse/opensuse
13.1
Published
Nov 08, 2013
Tracked Since
Feb 18, 2026