VYPR
Unrated severityNVD Advisory· Published Nov 20, 2013· Updated Jun 16, 2026

CVE-2013-4559

CVE-2013-4559

Description

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

9
  • Lighttpd/Lighttpd2 versions
    cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*range: <1.4.33
    • (no CPE)range: <1.4.33
  • Debian/linux3 versions
    cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
    • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OpenSUSE/openSUSE3 versions
    cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
    • cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
    • cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.