False positive: Lighttpd < 1.4.35 Multiple Vulnerabilities - Active Check OID: 1.3.6.1.4.1.25623.1.0.802072

It appears that any Lighttpd version that identifies itself as Lighttpd (without version) will get this vulnerability assigned.

Detected Lighttpd

Version: unknown
Location: 80/tcp
CPE: cpe:/a:lighttpd:lighttpd

Concluded from version/product identification result:
Server: lighttpd

Concluded from version/product identification location:
http://..local/

Actually this VT doesn’t rely on any version (it is not a version check) but “actively” checking for this vulnerability as indicated by:

  • The Active Check part in the script name
  • The Detection Method content Sends a crafted HTTP GET request and checks the response.
  • The currently defined remote_vul (99%) QoD

While looking at the done check within the VT the reliability might not be that accurate against every system. The QoD has been adjusted now to remote_analysis (70%) to better reflect the reliability of it (see below).

Those changes should arrive in the feed in the next few days. If it has been verified that the system is not affected an override for this result could be created accordingly.

Remote checks that perform some analysis, but may not always be completely reliable depending on environmental conditions. Narrowing down suspected false-positive or false-negative edge cases may require analysis by the user (see Chapter 11.8).

Source: GSM Manual: 11.2.6 Quality of Detection Concept