Description

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.

Remediation

References

CVE-2013-4559

Related Vulnerabilities

Atlassian Confluence CVE-2023-22515 Vulnerability (CVE-2023-22515)

MediaWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2020-29004)

WordPress Plugin WebHotelier for WordPress Cross-Site Scripting (1.5)

GlassFish CVE-2013-1508 Vulnerability (CVE-2013-1508)

TCExam Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3806)

Severity

High

Classification

CVE-2013-4559 CWE-264

Tags

Missing Update Known Vulnerabilities