Cyber Resilience

CVE-2022-30780

HighPublic PoC

Published: 11 June 2022

Published
11 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.8150 99.2th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-30780 is a high-severity Incorrect Calculation (CWE-682) vulnerability in Lighttpd Lighttpd. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Lighttpd versions 1.4.56 through 1.4.58 contain a vulnerability in the connection_read_header_more function within connections.c. A typo in the code disrupts proper handling of multiple read operations when processing large HTTP headers, allowing the server to enter a state of excessive CPU consumption from stuck connections. The issue is tracked as CWE-682 and carries a CVSS 3.1 score of 7.5 reflecting high availability impact over a network vector with no required privileges or user interaction.

An unauthenticated remote attacker can trigger the flaw by sending specially crafted requests containing oversized headers. Successful exploitation results in denial of service through sustained CPU usage and connection exhaustion, without affecting confidentiality or integrity of the server.

Public references point to the lighttpd GitHub repository and Redmine issue tracker for the project, where source changes addressing the typo are available; administrators should apply updates from these sources to restore correct multi-read header processing. The EPSS score has reached a peak of 0.8182 with a current value of 0.8150, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lighttpd
lighttpd
1.4.56, 1.4.57, 1.4.58

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References