VU#312260: Use-after-free vuln... Note

VU#312260: Use-after-free vulnerability in lighttpd version 1.4.50 and earlier

Lighttpd versions 1.4.50 and earlier have a use-after-free vulnerability that allows remote attackers to crash the server or leak memory for sensitive data access. Despite being fixed in 2018, many implementations remain vulnerable due to the lack of a CVE ID. The vulnerability affects IoT and firmware environments that use lighttpd. Binarly discovered persistent exploitation, leading to the assignment of CVE-2018-25103. The impact varies depending on lighttpd's implementation in different products. Attackers can crash the server or leak memory for sensitive data access. The CERT/CC recommends applying vendor patches, limiting network access to lighttpd, or replacing vulnerable hardware/software. Special thanks to Binarly, VDOO, lighttpd, and AMI for their cooperation in this disclosure and outreach effort.