CVE-2013-4508

Severity CVSS v4.0:
Pending analysis
Type:
CWE-326 Inadequate Encryption Strength
Publication date:
08/11/2013
Last modified:
11/04/2025

Description

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:* 1.4.24 (including) 1.4.33 (including)
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*