CVE-2022-22707
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-22707
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22707.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-22707
- Downstream
- Related
- Published
- 2022-01-06T06:15:07Z
- Modified
- 2025-10-10T03:52:31.756210Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In lighttpd 1.4.46 through 1.4.63, the modextforwardForwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system.
- References
Affected packages
Git / github.com/lighttpd/lighttpd1.4
Affected versions
lighttpd-1.*
lighttpd-1.4.46
lighttpd-1.4.47
lighttpd-1.4.48
lighttpd-1.4.49
lighttpd-1.4.50
lighttpd-1.4.51
lighttpd-1.4.52
lighttpd-1.4.53
lighttpd-1.4.54
lighttpd-1.4.55
lighttpd-1.4.56
lighttpd-1.4.56-rc1
lighttpd-1.4.56-rc2
lighttpd-1.4.56-rc3
lighttpd-1.4.56-rc4
lighttpd-1.4.56-rc5
lighttpd-1.4.56-rc6
lighttpd-1.4.56-rc7
lighttpd-1.4.57
lighttpd-1.4.58
lighttpd-1.4.59
lighttpd-1.4.60
lighttpd-1.4.61
lighttpd-1.4.62
lighttpd-1.4.63