Unrated severityNVD Advisory· Published Nov 20, 2013· Updated Apr 29, 2026

CVE-2013-4559

Description

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.

Affected products

Lighttpd/Lighttpd
cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*
Range: <1.4.33
Debian/Debian Linux3 versions
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
OpenSUSE/openSUSE3 versions
cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txtnvdVendor Advisory
jvn.jp/en/jp/JVN37417423/index.htmlnvdThird Party Advisory
lists.opensuse.org/opensuse-updates/2014-01/msg00049.htmlnvdMailing ListThird Party Advisory
marc.infonvdIssue TrackingThird Party Advisory
secunia.com/advisories/55682nvdThird Party Advisory
www.openwall.com/lists/oss-security/2013/11/12/4nvdMailing ListThird Party Advisory
kc.mcafee.com/corporate/indexnvdThird Party Advisory
www.debian.org/security/2013/dsa-2795nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.008
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000