CVSS 9.8 · CRITICAL
CVE-2014-2323
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
Ver en NVDSeveridad
Puntaje: 9.8(CRITICAL)
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE):
CWE-89EPSS
Probabilidad de explotación (próx. 30 días): 0.9037 (90.4%)
Percentil: 99.6%
EPSS: 2026-05-06
Afecta
lighttpd:lighttpddebian:debian_linuxopensuse:opensusesuse:linux_enterprise_high_availability_extensionsuse:linux_enterprise_software_development_kitDescripción técnica
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
Publicada: 14/3/2014, 15:55:05
Última modificación: 6/5/2026, 22:30:45
Referencias
- http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt
- http://jvn.jp/en/jp/JVN37417423/index.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html
- http://marc.info/?l=bugtraq&m=141576815022399&w=2
- http://seclists.org/oss-sec/2014/q1/561
- http://seclists.org/oss-sec/2014/q1/564