{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2018-25103","assignerOrgId":"37e5125f-f79b-445b-8fad-9564f167944b","state":"PUBLISHED","assignerShortName":"certcc","dateReserved":"2024-06-17T17:47:24.277Z","datePublished":"2024-06-17T18:02:57.162Z","dateUpdated":"2025-09-15T20:05:35.756Z"},"containers":{"cna":{"title":"Use-after-free vulnerabilities in lighttpd <= 1.4.50","descriptions":[{"lang":"en","value":"There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests."}],"source":{"discovery":"EXTERNAL"},"credits":[{"lang":"en","value":"Thanks to VDOO Embedded Security part of JFROG for reporting the vulnerability in the If-Modified-Since header with line folding, and thanks to Marcus Wengelin for reporting the vulnerability in the Range header with a specially crafted pair of Range headers.","type":"finder"}],"affected":[{"vendor":"lighttpd","product":"lighttpd","versions":[{"status":"affected","version":"*","lessThanOrEqual":"1.4.50","versionType":"custom"}]}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-416: Use After Free"}]}],"references":[{"url":"https://blogvdoo.wordpress.com/2018/11/06/giving-back-securing-open-source-iot-projects/#more-736"},{"url":"https://www.runzero.com/blog/lighttpd/"},{"url":"https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9"},{"url":"https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8"},{"url":"https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/2024/AMI-SA-2024002.pdf"},{"url":"https://www.kb.cert.org/vuls/id/312260"}],"x_generator":{"engine":"VINCE 3.0.4","env":"prod","origin":"https://cveawg.mitre.org/api/cve/CVE-2018-25103"},"providerMetadata":{"orgId":"37e5125f-f79b-445b-8fad-9564f167944b","shortName":"certcc","dateUpdated":"2024-07-09T14:45:06.732Z"}},"adp":[{"affected":[{"vendor":"lighttpd","product":"lighttpd","cpes":["cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThanOrEqual":"1.4.50","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.3,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"NONE","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-09-15T20:05:27.032213Z","id":"CVE-2018-25103","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-09-15T20:05:35.756Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-05T12:33:49.277Z"},"title":"CVE Program Container","references":[{"url":"https://blogvdoo.wordpress.com/2018/11/06/giving-back-securing-open-source-iot-projects/#more-736","tags":["x_transferred"]},{"url":"https://www.runzero.com/blog/lighttpd/","tags":["x_transferred"]},{"url":"https://github.com/lighttpd/lighttpd1.4/commit/df8e4f95614e476276a55e34da2aa8b00b1148e9","tags":["x_transferred"]},{"url":"https://github.com/lighttpd/lighttpd1.4/commit/d161f53de04bc826ce1bdaeb3dce2c72ca50a3f8","tags":["x_transferred"]},{"url":"https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/2024/AMI-SA-2024002.pdf","tags":["x_transferred"]},{"url":"https://www.kb.cert.org/vuls/id/312260","tags":["x_transferred"]}]}]},"dataVersion":"5.1"}