CVE-2013-4559

Description

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.

How to fix CVE-2013-4559

To remediate CVE-2013-4559, upgrade the affected package to a fixed version below.

• Debian/lighttpd—upgrade to 1.4.33-1+nmu1 or later

Is CVE-2013-4559 being exploited?

Moderate — EPSS is 9.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 1.4.33-1+nmu1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4559