CVE-2010-0295
Summary
| CVE | CVE-2010-0295 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2010-02-03 19:30:00 UTC |
| Updated | 2026-04-29 01:13:23 UTC |
| Description | lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
NoneIntegrity
NoneAvailability
PartialAV:N/AC:L/Au:N/C:N/I:N/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Lighttpd | Lighttpd | 1.0.2 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.0.3 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.1.0 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.1.1 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.1.2 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.1.3 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.1.4 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.1.5 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.1.6 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.1.7 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.1.8 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.1.9 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.2.0 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.2.1 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.2.2 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.2.3 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.2.5 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.2.6 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.2.7 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.2.8 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.0 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.1 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.10 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.11 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.12 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.13 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.14 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.15 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.16 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.2 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.3 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.4 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.5 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.6 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.8 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.3.9 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.0 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.10 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.11 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.12 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.13 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.14 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.15 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.16 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.17 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.18 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.19 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.2 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.20 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.21 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.22 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.23 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.24 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.3 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.4 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.5 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.6 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.7 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.8 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.4.9 | All | All | All |
| Application | Lighttpd | Lighttpd | 1.5.0 | All | All | All |
| Application | Lighttpd | Lighttpd | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| lighttpd Slow Request Handling Remote Denial Of Service Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Exploit, Patch |
| Webmail- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | |
| [SECURITY] Fedora 13 Update: lighttpd-1.4.26-2.fc13 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| download.lighttpd.net/lighttpd/security/lighttpd-1.4.x_fix_slow_request_dos.patch | af854a3a-2127-422b-91ae-364da2661108 | download.lighttpd.net | Patch |
| oss-security - lighttpd: slow request dos/oom attack [CVE-2010-0295] | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| Lighttpd - Revision 2711 - lighty labs | af854a3a-2127-422b-91ae-364da2661108 | redmine.lighttpd.net | |
| [SECURITY] Fedora 11 Update: lighttpd-1.4.26-2.fc11 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| Fedora update for lighttpd - Advisories - Community | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Security | af854a3a-2127-422b-91ae-364da2661108 | blogs.sun.com | |
| IBM X-Force Exchange | af854a3a-2127-422b-91ae-364da2661108 | exchange.xforce.ibmcloud.com | |
| Gentoo Linux Documentation -- lighttpd: Denial of Service | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| [SECURITY] Fedora 12 Update: lighttpd-1.4.26-2.fc12 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| lighttpd Slow Request Denial of Service Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| download.lighttpd.net/lighttpd/security/lighttpd-1.5_fix_slow_request_dos.patch | af854a3a-2127-422b-91ae-364da2661108 | download.lighttpd.net | Patch |
| Lighttpd - Revision 2710 - lighty labs | af854a3a-2127-422b-91ae-364da2661108 | redmine.lighttpd.net | |
| Debian -- Security Information -- DSA-1987-1 lighttpd | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| Lighttpd - Bug #2147: slow request dos/oom attack - lighty labs | af854a3a-2127-422b-91ae-364da2661108 | redmine.lighttpd.net | |
| download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt | af854a3a-2127-422b-91ae-364da2661108 | download.lighttpd.net | Patch |
| [security-announce] SUSE Security Summary Report: SUSE-SR:2010:003 | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.