CVE-2013-4559

2013-11-2014:12:00

Debian Security Bug Tracker

security-tracker.debian.org

0.01 Low

EPSS

Percentile

83.8%

JSON

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.

OSVersionArchitecturePackageVersionFilename
Debian12alllighttpd< 1.4.33-1+nmu1lighttpd_1.4.33-1+nmu1_all.deb
Debian11alllighttpd< 1.4.33-1+nmu1lighttpd_1.4.33-1+nmu1_all.deb
Debian10alllighttpd< 1.4.33-1+nmu1lighttpd_1.4.33-1+nmu1_all.deb
Debian999alllighttpd< 1.4.33-1+nmu1lighttpd_1.4.33-1+nmu1_all.deb
Debian13alllighttpd< 1.4.33-1+nmu1lighttpd_1.4.33-1+nmu1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	lighttpd	< 1.4.33-1+nmu1	lighttpd_1.4.33-1+nmu1_all.deb
Debian	11	all	lighttpd	< 1.4.33-1+nmu1	lighttpd_1.4.33-1+nmu1_all.deb
Debian	10	all	lighttpd	< 1.4.33-1+nmu1	lighttpd_1.4.33-1+nmu1_all.deb
Debian	999	all	lighttpd	< 1.4.33-1+nmu1	lighttpd_1.4.33-1+nmu1_all.deb
Debian	13	all	lighttpd	< 1.4.33-1+nmu1	lighttpd_1.4.33-1+nmu1_all.deb

0.01 Low

EPSS

Percentile

83.8%

JSON

Related for DEBIANCVE:CVE-2013-4559