Vulnerability Name:

CVE-2008-4298 (CCN-45471)

Assigned:2008-09-20
Published:2008-09-20
Updated:2018-10-11
Summary:Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-399
Vulnerability Consequences:Denial of Service
References:Source: CONFIRM
Type: UNKNOWN
http://bugs.gentoo.org/show_bug.cgi?id=238180

Source: MITRE
Type: CNA
CVE-2008-4298

Source: SUSE
Type: UNKNOWN
SUSE-SR:2008:026

Source: CCN
Type: SA32069
lighttpd Duplicate Request Headers Memory Leak Vulnerability

Source: SECUNIA
Type: UNKNOWN
32069

Source: SECUNIA
Type: UNKNOWN
32132

Source: SECUNIA
Type: UNKNOWN
32480

Source: SECUNIA
Type: UNKNOWN
32834

Source: SECUNIA
Type: UNKNOWN
32972

Source: GENTOO
Type: UNKNOWN
GLSA-200812-04

Source: CCN
Type: LIGHTTPD Web site
Changeset 2305

Source: CONFIRM
Type: UNKNOWN
http://trac.lighttpd.net/trac/changeset/2305

Source: CCN
Type: LIGHTTPD Web site: Ticket #1774
lighttpd memory leak on duplicated request header

Source: CONFIRM
Type: Patch
http://trac.lighttpd.net/trac/ticket/1774

Source: CONFIRM
Type: UNKNOWN
http://wiki.rpath.com/Advisories:rPSA-2008-0309

Source: CONFIRM
Type: UNKNOWN
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0309

Source: DEBIAN
Type: UNKNOWN
DSA-1645

Source: DEBIAN
Type: DSA-1645
lighttpd -- various

Source: CCN
Type: GLSA-200812-04
lighttpd: Multiple vulnerabilities

Source: CONFIRM
Type: UNKNOWN
http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt

Source: MLIST
Type: UNKNOWN
[oss-security] 20080926 CVE Request (lighttpd)

Source: CCN
Type: OSVDB ID: 48682
lighttpd request.c http_request_parse Function Memory Leak Remote DoS

Source: BUGTRAQ
Type: UNKNOWN
20081030 rPSA-2008-0309-1 lighttpd

Source: BID
Type: UNKNOWN
31434

Source: CCN
Type: BID-31434
Lighttpd Duplicate Request Header Denial of Service Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2008-2741

Source: XF
Type: UNKNOWN
lighttpd-httprequestparse-dos(45471)

Source: XF
Type: UNKNOWN
lighttpd-httprequestparse-dos(45471)

Source: SUSE
Type: SUSE-SR:2008:026
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:lighttpd:lighttpd:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.1.9:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.8:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.9:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.10:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.11:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.12:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.13:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.14:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.15:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.3.16:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.8:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.9:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.10:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.11:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.12:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.13:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.14:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.15:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.16:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.17:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.18:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:*:*:*:*:*:*:*:* (Version <= 1.4.19)

    • Configuration CCN 1:
  • cpe:/a:lighttpd:lighttpd:1.4.8:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.10:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.12:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.13:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.15:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.17:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.18:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.19:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.14:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.11:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.9:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.16:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20084298
    V
    		CVE-2008-4298
    2015-11-16
    oval:org.mitre.oval:def:8191
    P
    		DSA-1645 lighttpd -- various
    2014-06-23
    oval:org.mitre.oval:def:20257
    P
    		DSA-1645-1 lighttpd - various problems
    2014-06-23
    oval:org.debian:def:1645
    V
    		various
    2008-10-06
    BACK
    lighttpd lighttpd 1.1.1
    lighttpd lighttpd 1.1.2
    lighttpd lighttpd 1.1.3
    lighttpd lighttpd 1.1.4
    lighttpd lighttpd 1.1.5
    lighttpd lighttpd 1.1.6
    lighttpd lighttpd 1.1.7
    lighttpd lighttpd 1.1.8
    lighttpd lighttpd 1.1.9
    lighttpd lighttpd 1.2.1
    lighttpd lighttpd 1.2.2
    lighttpd lighttpd 1.2.3
    lighttpd lighttpd 1.2.4
    lighttpd lighttpd 1.2.5
    lighttpd lighttpd 1.2.6
    lighttpd lighttpd 1.2.7
    lighttpd lighttpd 1.2.8
    lighttpd lighttpd 1.3.0
    lighttpd lighttpd 1.3.1
    lighttpd lighttpd 1.3.2
    lighttpd lighttpd 1.3.3
    lighttpd lighttpd 1.3.4
    lighttpd lighttpd 1.3.5
    lighttpd lighttpd 1.3.6
    lighttpd lighttpd 1.3.7
    lighttpd lighttpd 1.3.8
    lighttpd lighttpd 1.3.9
    lighttpd lighttpd 1.3.10
    lighttpd lighttpd 1.3.11
    lighttpd lighttpd 1.3.12
    lighttpd lighttpd 1.3.13
    lighttpd lighttpd 1.3.14
    lighttpd lighttpd 1.3.15
    lighttpd lighttpd 1.3.16
    lighttpd lighttpd 1.4.0
    lighttpd lighttpd 1.4.1
    lighttpd lighttpd 1.4.2
    lighttpd lighttpd 1.4.3
    lighttpd lighttpd 1.4.4
    lighttpd lighttpd 1.4.5
    lighttpd lighttpd 1.4.6
    lighttpd lighttpd 1.4.7
    lighttpd lighttpd 1.4.8
    lighttpd lighttpd 1.4.9
    lighttpd lighttpd 1.4.10
    lighttpd lighttpd 1.4.11
    lighttpd lighttpd 1.4.12
    lighttpd lighttpd 1.4.13
    lighttpd lighttpd 1.4.14
    lighttpd lighttpd 1.4.15
    lighttpd lighttpd 1.4.16
    lighttpd lighttpd 1.4.17
    lighttpd lighttpd 1.4.18
    lighttpd lighttpd *
    lighttpd lighttpd 1.4.8
    lighttpd lighttpd 1.4.10
    lighttpd lighttpd 1.4.12
    lighttpd lighttpd 1.4.13
    lighttpd lighttpd 1.4.15
    lighttpd lighttpd 1.4.17
    lighttpd lighttpd 1.4.18
    lighttpd lighttpd 1.4.19
    lighttpd lighttpd 1.4.14
    lighttpd lighttpd 1.4.11
    lighttpd lighttpd 1.4.9
    lighttpd lighttpd 1.4.7
    lighttpd lighttpd 1.4.6
    lighttpd lighttpd 1.4.5
    lighttpd lighttpd 1.4.4
    lighttpd lighttpd 1.4.3
    lighttpd lighttpd 1.4.2
    lighttpd lighttpd 1.4.1
    lighttpd lighttpd 1.4.16
    gentoo linux *
    debian debian linux 4.0