{"id":"CVE-2022-37797","details":"In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.","modified":"2026-04-02T08:09:17.497154Z","published":"2022-09-12T15:15:08.170Z","related":["MGASA-2022-0369","openSUSE-SU-2022:10132-1","openSUSE-SU-2024:12327-1"],"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202210-12"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5243"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html"},{"type":"REPORT","url":"https://redmine.lighttpd.net/issues/3165"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lighttpd/lighttpd1.4","events":[{"introduced":"0"},{"last_affected":"388aad082c5e45575e7d1f866e6fe7acf562e45e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.4.65"}]}}],"versions":["lighttpd-1.3.11","lighttpd-1.3.12","lighttpd-1.3.13","lighttpd-1.3.14","lighttpd-1.3.15","lighttpd-1.3.16","lighttpd-1.4.1","lighttpd-1.4.2","lighttpd-1.4.25","lighttpd-1.4.26","lighttpd-1.4.27","lighttpd-1.4.28","lighttpd-1.4.29","lighttpd-1.4.3","lighttpd-1.4.30","lighttpd-1.4.31","lighttpd-1.4.32","lighttpd-1.4.33","lighttpd-1.4.34","lighttpd-1.4.35","lighttpd-1.4.36","lighttpd-1.4.36--rc1","lighttpd-1.4.37","lighttpd-1.4.38","lighttpd-1.4.39","lighttpd-1.4.4","lighttpd-1.4.40","lighttpd-1.4.41","lighttpd-1.4.42","lighttpd-1.4.43","lighttpd-1.4.44","lighttpd-1.4.45","lighttpd-1.4.46","lighttpd-1.4.47","lighttpd-1.4.48","lighttpd-1.4.49","lighttpd-1.4.5","lighttpd-1.4.50","lighttpd-1.4.51","lighttpd-1.4.52","lighttpd-1.4.53","lighttpd-1.4.54","lighttpd-1.4.55","lighttpd-1.4.56","lighttpd-1.4.56-rc1","lighttpd-1.4.56-rc2","lighttpd-1.4.56-rc3","lighttpd-1.4.56-rc4","lighttpd-1.4.56-rc5","lighttpd-1.4.56-rc6","lighttpd-1.4.56-rc7","lighttpd-1.4.57","lighttpd-1.4.58","lighttpd-1.4.59","lighttpd-1.4.6","lighttpd-1.4.60","lighttpd-1.4.61","lighttpd-1.4.62","lighttpd-1.4.63","lighttpd-1.4.64","lighttpd-1.4.65","lighttpd-1.4.7"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-37797.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}