CVE-2012-5533

Description

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.

How to fix CVE-2012-5533

To remediate CVE-2012-5533, upgrade the affected package to a fixed version below.

• Debian/lighttpd—upgrade to 1.4.31-2 or later

Is CVE-2012-5533 being exploited?

Moderate — EPSS is 37.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 1.4.31-2

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-5533