CVE-2022-30780
Published: 11 June 2022
Summary
CVE-2022-30780 is a high-severity Incorrect Calculation (CWE-682) vulnerability in Lighttpd Lighttpd. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Lighttpd versions 1.4.56 through 1.4.58 contain a vulnerability in the connection_read_header_more function within connections.c. A typo in the code disrupts proper handling of multiple read operations when processing large HTTP headers, allowing the server to enter a state of excessive CPU consumption from stuck connections. The issue is tracked as CWE-682 and carries a CVSS 3.1 score of 7.5 reflecting high availability impact over a network vector with no required privileges or user interaction.
An unauthenticated remote attacker can trigger the flaw by sending specially crafted requests containing oversized headers. Successful exploitation results in denial of service through sustained CPU usage and connection exhaustion, without affecting confidentiality or integrity of the server.
Public references point to the lighttpd GitHub repository and Redmine issue tracker for the project, where source changes addressing the typo are available; administrators should apply updates from these sources to restore correct multi-read header processing. The EPSS score has reached a peak of 0.8182 with a current value of 0.8150, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52604
Vulnerability details
Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.