U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

Vulnerability Change Records for CVE-2024-3708

Change History

CVE Translated by AMI 7/09/2024 11:15:11 AM

Action Type Old Value New Value
Removed Translation 
Title: lighttpd 
Description: Existe una condición en la versión de lighttpd anterior a la 1.4.51 por la cual un atacante remoto puede crear una solicitud http que podría dar como resultado múltiples resultados: 1.) hacer que lighttpd acceda a la memoria liberada, en cuyo caso el proceso en el que se ejecuta lighttpd podría terminarse u otro podría producirse un comportamiento no determinista 2.) podría producirse un evento de divulgación de información de la memoria que podría usarse para determinar el estado de la memoria y luego podría usarse para eludir teóricamente las protecciones ALSR. Este CVE se actualizará con más detalles el 9 de julio de 2024 después las partes afectadas han tenido tiempo de remediar.
 

								
								
					

				
			




		

	
		

			 
			

				CVE Rejected by AMI 7/09/2024 11:15:11 AM
			



			

				 
					

						Action
						Type
						Old Value
						New Value
					

				
				
					
				
			




		

	
		

			 
			

				CVE Modified by AMI 7/09/2024 11:15:11 AM
			



			

				 
					

						Action
						Type
						Old Value
						New Value
					

				
				
					

						Removed
						CVSS V4.0
						
							
							
								
							
								
AMI AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						CWE
						
							
							
								
							
								
AMI CWE-200

								
							
							
								
							
						
								
							
								

								
								
					

					

						Changed
						Description
						
							
							
								
							
								
A condition exists in lighttpd version prior to 1.4.51 whereby a remote attacker can craft an http request which could result in multiple outcomes:
1.) cause lighttpd to access freed memory in which case the process lighttpd is running in could be terminated or other non-deterministic behavior could result
2.) a memory information disclosure event could result which could be used to determine the state of memory which could then be used to theoretically bypass ALSR protections

This CVE will be updated with more details on July 9th, 2024 after affected parties have had time to remediate.

								
							
							
								
							
						
								
							
								
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

								
								
					

					

						Removed
						Reference
						
							
							
								
							
								
AMI https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/2024/AMI-SA-2024002.pdf