CVSS 9.8 · CRITICAL
CVE-2014-2323
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
View on NVDSeverity
Score: 9.8(CRITICAL)
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE):
CWE-89EPSS
Probability of exploitation (next 30 days): 0.9037 (90.4%)
Percentile: 99.6%
EPSS: 2026-05-06
Affects
lighttpd:lighttpddebian:debian_linuxopensuse:opensusesuse:linux_enterprise_high_availability_extensionsuse:linux_enterprise_software_development_kitTechnical description
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
Published: 3/14/2014, 3:55:05 PM
Last modified: 5/6/2026, 10:30:45 PM
References
- http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt
- http://jvn.jp/en/jp/JVN37417423/index.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html
- http://marc.info/?l=bugtraq&m=141576815022399&w=2
- http://seclists.org/oss-sec/2014/q1/561
- http://seclists.org/oss-sec/2014/q1/564