CVE-2022-37797

NameCVE-2022-37797
DescriptionIn lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3133-1, DSA-5243-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lighttpd (PTS)jessie, jessie (lts)1.4.35-4+deb8u1fixed
stretch (security), stretch (lts), stretch1.4.45-1+deb9u1fixed
buster1.4.53-4+deb10u2vulnerable
buster (security)1.4.53-4+deb10u3fixed
bullseye (security), bullseye1.4.59-1+deb11u2fixed
bookworm1.4.69-1fixed
trixie1.4.74-1fixed
sid1.4.74-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lighttpdsourcejessie(not affected)
lighttpdsourcestretch(not affected)
lighttpdsourcebuster1.4.53-4+deb10u3DLA-3133-1
lighttpdsourcebullseye1.4.59-1+deb11u2DSA-5243-1
lighttpdsource(unstable)1.4.66-1

Notes

https://redmine.lighttpd.net/issues/3165
https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/971773f1fae600074b46ef64f3ca1f76c227985f (lighttpd-1.4.66)
[stretch] - lighttpd <not-affected> (mod_wstunnel introduced in 1.4.46)
[jessie] - lighttpd <not-affected> (mod_wstunnel introduced in 1.4.46)
Search for package or bug name: Reporting problems