CVE-2013-4508

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.

Published: Nov 8, 2013
Updated: Apr 13, 2023
CVE: CVE-2013-4508
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

CWEs:

CWE-326

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
lighttpd / lighttpd	1.4.24	1.4.33.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	7.0	7.0.x
debian / debian_linux	6.0	6.0.x
opensuse / opensuse	12.3	12.3.x
opensuse / opensuse	12.2	12.2.x
opensuse / opensuse	13.1	13.1.x

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
http://jvn.jp/en/jp/JVN37417423/index.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html
http://marc.info/?l=bugtraq&m=141576815022399&w=2
http://openwall.com/lists/oss-security/2013/11/04/19
http://redmine.lighttpd.net/issues/2525
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913/diff/
https://www.debian.org/security/2013/dsa-2795

Vulnerability Database

289,697

CVE-2013-4508