Vulnerability Details CVE-2022-22707
In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 54.4%
CVSS Severity
CVSS v3 Score 5.9
CVSS v2 Score 4.3
References
Products affected by CVE-2022-22707
-
cpe:2.3:a:lighttpd:lighttpd:1.4.46
-
cpe:2.3:a:lighttpd:lighttpd:1.4.47
-
cpe:2.3:a:lighttpd:lighttpd:1.4.48
-
cpe:2.3:a:lighttpd:lighttpd:1.4.49
-
cpe:2.3:a:lighttpd:lighttpd:1.4.50
-
cpe:2.3:a:lighttpd:lighttpd:1.4.51
-
cpe:2.3:a:lighttpd:lighttpd:1.4.52
-
cpe:2.3:a:lighttpd:lighttpd:1.4.53
-
cpe:2.3:a:lighttpd:lighttpd:1.4.54
-
cpe:2.3:a:lighttpd:lighttpd:1.4.55
-
cpe:2.3:a:lighttpd:lighttpd:1.4.56
-
cpe:2.3:a:lighttpd:lighttpd:1.4.57
-
cpe:2.3:a:lighttpd:lighttpd:1.4.58
-
cpe:2.3:a:lighttpd:lighttpd:1.4.59
-
cpe:2.3:a:lighttpd:lighttpd:1.4.60
-
cpe:2.3:a:lighttpd:lighttpd:1.4.61
-
cpe:2.3:a:lighttpd:lighttpd:1.4.62
-
cpe:2.3:a:lighttpd:lighttpd:1.4.63
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:11.0