CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
97.9%
Issue Overview:
The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the “Connection: TE,Keep-Alive” header.
Affected Packages:
lighttpd
Issue Correction:
Run yum update lighttpd to update your system.
New Packages:
i686:
lighttpd-mod_geoip-1.4.31-1.5.amzn1.i686
lighttpd-debuginfo-1.4.31-1.5.amzn1.i686
lighttpd-1.4.31-1.5.amzn1.i686
lighttpd-mod_mysql_vhost-1.4.31-1.5.amzn1.i686
lighttpd-fastcgi-1.4.31-1.5.amzn1.i686
src:
lighttpd-1.4.31-1.5.amzn1.src
x86_64:
lighttpd-debuginfo-1.4.31-1.5.amzn1.x86_64
lighttpd-mod_mysql_vhost-1.4.31-1.5.amzn1.x86_64
lighttpd-mod_geoip-1.4.31-1.5.amzn1.x86_64
lighttpd-fastcgi-1.4.31-1.5.amzn1.x86_64
lighttpd-1.4.31-1.5.amzn1.x86_64
Red Hat: CVE-2012-5533
Mitre: CVE-2012-5533