CVE-2022-30780 - lighttpd remote denial of service

CVE-2022-30780 - lighttpd remote denial of service
GitHub release (latest by date) YouTube Channel Subscribers

Summary

An unauthenticated attacker can send an HTTP request with an URL overflowing the maximum URL length, resulting in a denial of service.

Vulnerable versions

The following versions of lighttpd are vulnerable:

Software Version Vulnerable
Lighttpd 1.4.58 Yes ✅
Lighttpd 1.4.57 Yes ✅
Lighttpd 1.4.56 Yes ✅

Usage

$ ./CVE-2022-30780-lighttpd-denial-of-service.py -h
usage: CVE-2022-30780-lighttpd-denial-of-service.py [-h] [-v] -u URL [-k] [-t THREADS]

CVE-2022-30780-lighttpd-denial-of-service

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Verbose mode
  -u URL, --url URL     URL to connect to.
  -k, --insecure        Allow insecure server connections when using SSL (default: False)
  -t THREADS, --threads THREADS
                        Number of threads (default: 20)

Demonstration

demo.mp4

References