Vulnerability Name:

CVE-2013-4508 (CCN-88669)

Assigned:2013-11-04
Published:2013-11-04
Updated:2021-02-26
Summary:lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
4.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-326
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2013-4508

Source: CCN
Type: lighttpd SVN Repository Web Site
lighttpd SVN Repository

Source: CCN
Type: lighttpd SA-2013-01 Web Site
Using possibly vulnerable cipher suites with SNI

Source: CONFIRM
Type: Exploit, Mitigation, Vendor Advisory
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt

Source: JVN
Type: Third Party Advisory
JVN#37417423

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2014:0072

Source: HP
Type: Issue Tracking, Third Party Advisory
HPSBGN03191

Source: CCN
Type: oss-sec Mailing List, Mon, 04 Nov 2013 13:17:48 -0700
Re: CVE Request: lighttpd using vulnerable cipher suites with SNI

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20131104 Re: CVE Request: lighttpd using vulnerable cipher suites with SNI

Source: CCN
Type: Lighttpd lighty labs Web Site
ssl.cipher-list not inherited into SNI

Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
http://redmine.lighttpd.net/issues/2525

Source: CONFIRM
Type: Broken Link
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913/diff/

Source: DEBIAN
Type: DSA-2795
lighttpd -- several vulnerabilities

Source: CCN
Type: lighttpd Web Site
lighttpd

Source: CCN
Type: BID-63534
lighttpd SSL Weak Cipher CVE-2013-4508 Security Bypass Weakness

Source: XF
Type: UNKNOWN
lighttpd-cve20134508-information-disclosure(88669)

Source: DEBIAN
Type: Third Party Advisory
DSA-2795

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-4508

Vulnerable Configuration:Configuration 1:
  • cpe:/a:lighttpd:lighttpd:*:*:*:*:*:*:*:* (Version >= 1.4.24 and <= 1.4.33)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:6.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:lighttpd:lighttpd:1.4.33:*:*:*:*:*:*:*
  • OR cpe:/a:lighttpd:lighttpd:1.4.32:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20134508
    V
    		CVE-2013-4508
    2022-09-02
    oval:org.opensuse.security:def:6349
    P
    		Security update for libgda (Important) (in QA)
    2022-08-31
    oval:org.opensuse.security:def:6327
    P
    		Security update for the Linux Kernel (Important)
    2022-04-14
    oval:org.opensuse.security:def:6326
    P
    		Security update for netatalk (Important)
    2022-04-13
    oval:org.opensuse.security:def:6361
    P
    		Security update for the Linux Kernel (Important)
    2022-03-09
    oval:org.opensuse.security:def:6337
    P
    		Security update for polkit (Important)
    2022-01-25
    oval:org.opensuse.security:def:112948
    P
    		lighttpd-1.4.37-1.6 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:6293
    P
    		Security update for virglrenderer (Important) (in QA)
    2022-01-17
    oval:org.opensuse.security:def:6304
    P
    		Security update for clamav-database (Important)
    2022-01-17
    oval:org.opensuse.security:def:6296
    P
    		Security update for net-snmp (Important)
    2022-01-11
    oval:org.opensuse.security:def:6285
    P
    		Security update for clamav-database (Important)
    2022-01-03
    oval:org.opensuse.security:def:7288
    P
    		Security update for the Linux Kernel (Important)
    2021-12-06
    oval:org.opensuse.security:def:6307
    P
    		Security update for the Linux Kernel (Important)
    2021-11-19
    oval:org.opensuse.security:def:7278
    P
    		Security update for the Linux Kernel (Important)
    2021-11-11
    oval:org.opensuse.security:def:6457
    P
    		Security update for the Linux Kernel (Important)
    2021-10-15
    oval:org.opensuse.security:def:7277
    P
    		Security update for the Linux Kernel (Important)
    2021-10-12
    oval:org.opensuse.security:def:106402
    P
    		lighttpd-1.4.37-1.6 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:7266
    P
    		Security update for the Linux Kernel (Live Patch 2 for SLE 15 SP3) (Important)
    2021-09-16
    oval:org.opensuse.security:def:6453
    P
    		Security update for java-1_8_0-openjdk (Important)
    2021-08-20
    oval:org.opensuse.security:def:6476
    P
    		Security update for the Linux Kernel (Important)
    2021-08-14
    oval:org.opensuse.security:def:7255
    P
    		Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP3) (Important)
    2021-07-27
    oval:org.opensuse.security:def:12774
    P
    		lighttpd-1.4.35-1.34 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:123991
    P
    		lighttpd-1.4.35-3.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12785
    P
    		lighttpd-1.4.35-3.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:12796
    P
    		lighttpd-1.4.35-3.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:6445
    P
    		Security update for the Linux Kernel (Important)
    2021-04-16
    oval:org.opensuse.security:def:7244
    P
    		Security update for the Linux Kernel (Live Patch 2 for SLE 15 SP2) (Important)
    2021-03-17
    oval:org.opensuse.security:def:6319
    P
    		Security update for python (Moderate)
    2021-03-16
    oval:org.opensuse.security:def:6464
    P
    		Security update for java-1_8_0-ibm (Important)
    2021-03-01
    oval:org.opensuse.security:def:6315
    P
    		Security update for avahi (Moderate)
    2021-02-23
    oval:org.opensuse.security:def:6442
    P
    		Security update for java-1_8_0-ibm (Moderate)
    2020-12-23
    oval:org.opensuse.security:def:12808
    P
    		lighttpd-1.4.35-3.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:6395
    P
    		libldap-2_4-2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6617
    P
    		gnome-settings-daemon on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6595
    P
    		eog on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6564
    P
    		busybox on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6604
    P
    		ft2demos on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6597
    P
    		expat on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6551
    P
    		accountsservice on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6408
    P
    		libneon27 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6628
    P
    		gstreamer-plugins-bad on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6606
    P
    		gd on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6576
    P
    		cups on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6517
    P
    		tcpdump on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6423
    P
    		libpython2_7-1_0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6372
    P
    		libexif12 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6615
    P
    		gnome-keyring on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6609
    P
    		gdm on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6542
    P
    		yast2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:7300
    P
    		lighttpd on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6419
    P
    		libpoppler-glib8 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6640
    P
    		imobiledevice-tools on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6618
    P
    		gnome-shell on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6575
    P
    		ctags on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6528
    P
    		wget on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6434
    P
    		libsoup-2_4-1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6383
    P
    		libgypsy0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6627
    P
    		gstreamer-0_10-plugins-good on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6584
    P
    		dhcp on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6553
    P
    		apparmor-docs on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6430
    P
    		libsilc-1_1-2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6593
    P
    		emacs on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6586
    P
    		dnsmasq on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:6539
    P
    		xorg-x11-libs on GA media (Moderate)
    2020-12-01
    oval:org.mitre.oval:def:28476
    P
    		DSA-2795-2 -- lighttpd -- several vulnerabilities
    2015-08-17
    oval:org.mitre.oval:def:20141
    P
    		DSA-2795-1 lighttpd - several
    2014-06-23
    oval:com.ubuntu.precise:def:20134508000
    V
    		CVE-2013-4508 on Ubuntu 12.04 LTS (precise) - medium.
    2013-11-07
    oval:com.ubuntu.trusty:def:20134508000
    V
    		CVE-2013-4508 on Ubuntu 14.04 LTS (trusty) - medium.
    2013-11-07
    oval:com.ubuntu.xenial:def:20134508000
    V
    		CVE-2013-4508 on Ubuntu 16.04 LTS (xenial) - medium.
    2013-11-07
    oval:com.ubuntu.xenial:def:201345080000000
    V
    		CVE-2013-4508 on Ubuntu 16.04 LTS (xenial) - medium.
    2013-11-07
    BACK
    lighttpd lighttpd *
    debian debian linux 6.0
    debian debian linux 7.0
    debian debian linux 8.0
    opensuse opensuse 12.2
    opensuse opensuse 12.3
    opensuse opensuse 13.1
    lighttpd lighttpd 1.4.33
    lighttpd lighttpd 1.4.32