{"api_version":"1","generated_at":"2026-04-23T04:21:36+00:00","cve":"CVE-2022-37797","urls":{"html":"https://cve.report/CVE-2022-37797","api":"https://cve.report/api/cve/CVE-2022-37797.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-37797","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-37797"},"summary":{"title":"CVE-2022-37797","description":"In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-09-12 15:15:00","updated_at":"2022-12-03 01:11:00"},"problem_types":["CWE-476"],"metrics":[],"references":[{"url":"https://redmine.lighttpd.net/issues/3165","name":"https://redmine.lighttpd.net/issues/3165","refsource":"MISC","tags":[],"title":"Bug #3165: mod_wstunnel null pointer dereference - Lighttpd - lighty labs","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html","name":"[debian-lts-announce] 20221003 [SECURITY] [DLA 3133-1] lighttpd security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3133-1] lighttpd security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202210-12","name":"GLSA-202210-12","refsource":"GENTOO","tags":[],"title":"Lighttpd: Denial of Service (GLSA 202210-12) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2022/dsa-5243","name":"DSA-5243","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5243-1 lighttpd","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-37797","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37797","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"37797","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"37797","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"lighttpd","cpe5":"lighttpd","cpe6":"1.4.65","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-37797","qid":"181083","title":"Debian Security Update for lighttpd (DSA 5243-1)"},{"cve":"CVE-2022-37797","qid":"181100","title":"Debian Security Update for lighttpd (DLA 3133-1)"},{"cve":"CVE-2022-37797","qid":"182453","title":"Debian Security Update for lighttpd (CVE-2022-37797)"},{"cve":"CVE-2022-37797","qid":"354847","title":"Amazon Linux Security Advisory for lighttpd : ALAS-2023-1705"},{"cve":"CVE-2022-37797","qid":"710656","title":"Gentoo Linux Lighttpd Denial of Service Vulnerability (GLSA 202210-12)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2022-37797","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://redmine.lighttpd.net/issues/3165","refsource":"MISC","name":"https://redmine.lighttpd.net/issues/3165"},{"refsource":"DEBIAN","name":"DSA-5243","url":"https://www.debian.org/security/2022/dsa-5243"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221003 [SECURITY] [DLA 3133-1] lighttpd security update","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html"},{"refsource":"GENTOO","name":"GLSA-202210-12","url":"https://security.gentoo.org/glsa/202210-12"}]}},"nvd":{"publishedDate":"2022-09-12 15:15:00","lastModifiedDate":"2022-12-03 01:11:00","problem_types":["CWE-476"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:lighttpd:lighttpd:1.4.65:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}