CVE-2022-30780

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.

Weakness

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Affected Software

Potential Mitigations

• Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
• Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).
• Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
• Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/128.html
• https://cwe.mitre.org/data/definitions/129.html

References

• https://github.com/lighttpd/lighttpd1.4
• https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service
• https://podalirius.net/en/cves/2022-30780/
• https://redmine.lighttpd.net/issues/3059
• https://github.com/lighttpd/lighttpd1.4
• https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service
• https://podalirius.net/en/cves/2022-30780/
• https://redmine.lighttpd.net/issues/3059