CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
97.9%
Lighttpd security advisory reports:
Certain Connection header values will trigger an endless loop, for example:
โConnection: TE,Keep-Aliveโ
On receiving such value, lighttpd will enter an endless loop,
detecting an empty token but not incrementing the current string
position, and keep reading the โ,โ again and again.
This bug was introduced in 1.4.31, when we fixed an โinvalid readโ
bug (it would try to read the byte before the string if it started
with โ,โ, although the value wasnโt actually used).