CVE-2008-0983

lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access.

Published: Feb 26, 2008
Updated: Apr 13, 2023
CVE: CVE-2008-0983
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-399

Affected Software
References

Software	From	Fixed in
lighttpd / lighttpd	1.4.18	1.4.18.x
lighttpd / lighttpd	1.4.8	1.4.8.x
lighttpd / lighttpd	1.4.17	1.4.17.x
lighttpd / lighttpd	1.4.11	1.4.11.x
lighttpd / lighttpd	1.4.14	1.4.14.x
lighttpd / lighttpd	1.4.10	1.4.10.x
lighttpd / lighttpd	1.4.16	1.4.16.x
lighttpd / lighttpd	1.4.12	1.4.12.x
lighttpd / lighttpd	1.4.9	1.4.9.x
lighttpd / lighttpd	1.4.7	1.4.7.x
lighttpd / lighttpd	1.4.15	1.4.15.x
lighttpd / lighttpd	1.4.13	1.4.13.x

http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html
http://secunia.com/advisories/29066
http://secunia.com/advisories/29166
http://secunia.com/advisories/29209
http://secunia.com/advisories/29268
http://secunia.com/advisories/29622
http://secunia.com/advisories/31104
http://security.gentoo.org/glsa/glsa-200803-10.xml
http://trac.lighttpd.net/trac/ticket/1562
http://wiki.rpath.com/Advisories:rPSA-2008-0084
http://www.debian.org/security/2008/dsa-1609
http://www.securityfocus.com/archive/1/488926/100/0/threaded
http://www.securityfocus.com/bid/27943
http://www.vupen.com/english/advisories/2008/0659/references
https://issues.rpath.com/browse/RPL-2284
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00162.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00180.html

Vulnerability Database

289,697

CVE-2008-0983