CVE-2022-37797
lighttpd - security update
7.5
HIGH
CVSS 3.1
EPSS 1.4%
Description
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.
How to fix CVE-2022-37797
To remediate CVE-2022-37797, upgrade the affected package to a fixed version below.
- —upgrade to 1.4.59-1+deb11u2 or later
- —upgrade to 1.4.53-4+deb10u3 or later
- —upgrade to 1.4.59-1+deb11u2 or later
Is CVE-2022-37797 being exploited?
Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.4.59-1+deb11u2
- from 0, < 1.4.53-4+deb10u3
- from 0, < 1.4.59-1+deb11u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |