CVE-2022-37797
HIGHlighttpd 1.4.65 - Denial of Service via mod_wstunnel Null Pointer Dereference
Title source: llmDescription
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.
References (4)
Core 4
Core References
Exploit, Issue Tracking, Third Party Advisory
https://redmine.lighttpd.net/issues/3165
Mailing List, Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5243
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202210-12
Scores
CVSS v3
7.5
EPSS
0.0144
EPSS Percentile
81.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-476
Status
published
Products (2)
debian/debian_linux
10.0
lighttpd/lighttpd
1.4.65
Published
Sep 12, 2022
Tracked Since
Feb 18, 2026