Time Tips

LiteSpeed Web Server vulnerabilities

March 21, 20241 Mins read

Editor

0 Shares

Let’s explore some vulnerabilities associated with the LiteSpeed Web Server (LSWS). While LSWS is known for its performance and security features, it’s essential to be aware of potential risks. Here are notable vulnerabilities:

CVE-2022-0072: Directory Traversal:
- Severity: Medium (CVSS 5.8)
- Description: This vulnerability allows an attacker to bypass security measures and access forbidden files through directory traversal. If the server is compromised, an attacker could create a secret backdoor and exploit this vulnerability.
- Affected Versions: OpenLiteSpeed and LiteSpeed Enterprise WebAdmin Console.
- Exploit Condition: Requires WebAdmin Authentication and root privileges to upload a custom exploit under /usr/local/lsws/admin/html¹.
CVE-2022-0073: Remote Code Execution:
- Severity: High (CVSS 8.8)
- Description: An attacker who compromises the server can create a secret backdoor and exploit this vulnerability. Similar to CVE-2022-0072, it applies to OpenLiteSpeed and LiteSpeed Enterprise WebAdmin Console after WebAdmin Authentication ¹.
CVE-2022-0074:
- Severity: Not specified
- Details: Information about this vulnerability is not explicitly provided in the available sources.
CVE-2021-26758: Privilege Escalation:
- Severity: High (CVSS 8.8)
- Description: In OpenLiteSpeed version 1.7.8, attackers can gain root terminal access and execute commands on the host system. This privilege escalation vulnerability poses a significant risk ².
Directory Traversal Vulnerability:
- Severity: Not specified
- Description: Versions from 1.5.11 through 1.5.12, 1.6.5 through 1.6.20.1, and 1.7.0 before 1.7.16.1 of LSWS suffer from a directory traversal vulnerability in the OpenLiteSpeed Web Server Dashboard. Attackers can exploit path traversal ³.