CVE-2022-37797

NameCVE-2022-37797
DescriptionIn lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3133-1, DSA-5243-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lighttpd (PTS)jessie, jessie (lts)1.4.35-4+deb8u1fixed
stretch (security), stretch (lts), stretch1.4.45-1+deb9u1fixed
buster (security), buster, buster (lts)1.4.53-4+deb10u3fixed
bullseye (security), bullseye1.4.59-1+deb11u2fixed
bookworm1.4.69-1fixed
sid, trixie1.4.76-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lighttpdsourcejessie(not affected)
lighttpdsourcestretch(not affected)
lighttpdsourcebuster1.4.53-4+deb10u3DLA-3133-1
lighttpdsourcebullseye1.4.59-1+deb11u2DSA-5243-1
lighttpdsource(unstable)1.4.66-1

Notes

https://redmine.lighttpd.net/issues/3165
https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/971773f1fae600074b46ef64f3ca1f76c227985f (lighttpd-1.4.66)
[stretch] - lighttpd <not-affected> (mod_wstunnel introduced in 1.4.46)
[jessie] - lighttpd <not-affected> (mod_wstunnel introduced in 1.4.46)
Search for package or bug name: Reporting problems