{"id":"CVE-2022-37797","details":"In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.","modified":"2026-05-18T05:55:47.405030653Z","published":"2022-09-12T00:00:00Z","related":["openSUSE-SU-2022:10132-1","openSUSE-SU-2024:12327-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/37xxx/CVE-2022-37797.json","cna_assigner":"mitre"},"references":[{"type":"WEB","url":"https://redmine.lighttpd.net/issues/3165"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/37xxx/CVE-2022-37797.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37797"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202210-12"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5243"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lighttpd/lighttpd1.4","events":[{"introduced":"0"},{"last_affected":"388aad082c5e45575e7d1f866e6fe7acf562e45e"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.4.65"}],"cpe":"cpe:2.3:a:lighttpd:lighttpd:1.4.65:*:*:*:*:*:*:*"}}],"versions":["lighttpd-1.4.65","lighttpd-1.4.64","lighttpd-1.4.63","lighttpd-1.4.62","lighttpd-1.4.61","lighttpd-1.4.60","lighttpd-1.4.59","lighttpd-1.4.58","lighttpd-1.4.57","lighttpd-1.4.56","lighttpd-1.4.56-rc7","lighttpd-1.4.56-rc6","lighttpd-1.4.56-rc5","lighttpd-1.4.56-rc4","lighttpd-1.4.56-rc3","lighttpd-1.4.56-rc2","lighttpd-1.4.56-rc1","lighttpd-1.4.55","lighttpd-1.4.54","lighttpd-1.4.53","lighttpd-1.4.52","lighttpd-1.4.51","lighttpd-1.4.50","lighttpd-1.4.49","lighttpd-1.4.48","lighttpd-1.4.47","lighttpd-1.4.46","lighttpd-1.4.45","lighttpd-1.4.44","lighttpd-1.4.43","lighttpd-1.4.42","lighttpd-1.4.41","lighttpd-1.4.40","lighttpd-1.4.39","lighttpd-1.4.38","lighttpd-1.4.37","lighttpd-1.4.36","lighttpd-1.4.36--rc1","lighttpd-1.4.35","lighttpd-1.4.34","lighttpd-1.4.33","lighttpd-1.4.32","lighttpd-1.4.31","lighttpd-1.4.30","lighttpd-1.4.29","lighttpd-1.4.28","lighttpd-1.4.27","lighttpd-1.4.26","lighttpd-1.4.25","lighttpd-1.4.7","lighttpd-1.4.6","lighttpd-1.4.5","lighttpd-1.4.4","lighttpd-1.4.3","lighttpd-1.4.2","lighttpd-1.4.1","lighttpd-1.3.16","lighttpd-1.3.15","lighttpd-1.3.14","lighttpd-1.3.13","lighttpd-1.3.12","lighttpd-1.3.11"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37797.json"}}],"schema_version":"1.7.5"}