Description

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.

Remediation

References

CVE-2012-5533

Related Vulnerabilities

WordPress Plugin simple sort&search Cross-Site Scripting (0.0.3)

Jboss EAP Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') Vulnerability (CVE-2017-7561)

PHP Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability (CVE-2004-0594)

WordPress Other Vulnerability (CVE-2006-0986)

phpMyFAQ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2005-3046)

Severity

Medium

Classification

CVE-2012-5533

Tags

Missing Update Known Vulnerabilities