Lighttpd

The software supply chain is complicated, and all the issues associated with it are something we haven't dealt with before and require a different mindset and approach. The vulnerability in Lighttpd was discovered and fixed back in 2018, but a CVE was not assigned to this vulnerability, and a fix was delivered silently by project maintainers. Frequently, the software that uses the open-sourced components does not consume every single update coming from OSS maintainers and only watches the critical changes or important security fixes to apply. In reality, it's hard to track every change for security issues without specific security advisories and CVE assigned.

runZero on detecting outdated Lighttpd services in the field.

CyberScoop on the permanent nature of the Lighttpd vulnerability.

BINARLY team has discovered a Heap Out-of-bounds Read vulnerability in the `lighttpd` web server, allowing a potential attacker to exfiltrate sensitive information from process memory.

BleepingComputer reports on long-standing BMC vulnerability in Intel/Lenovo servers.

Ars Technica coverage of unfixable Lighttpd vulnerability in Intel/Lenovo servers.

BINARLY team has discovered a Heap Out-of-bounds Read vulnerability in the web server component of Lenovo BMC firmware, allowing a potential attacker to exfiltrate sensitive information from Lighttpd process memory.

BINARLY team has discovered a Heap Out-of-bounds Read vulnerability in the web server component of Intel BMC firmware, allowing a potential attacker to exfiltrate sensitive information from Lighttpd process memory.