CVE-2022-37797: 
NixOS vulnerability analysis and mitigation

CVE-2022-37797 affects lighttpd version 1.4.65, specifically in the modwstunnel module. The vulnerability was discovered when the server fails to initialize a handler function pointer upon receiving an invalid HTTP request (websocket handshake). This vulnerability was disclosed in September 2022 and affects lighttpd installations with the modwstunnel module enabled (Lighttpd Issue, NVD).

The vulnerability occurs in the wstunnelhandlersetup function where the server verifies a request and initializes handler functions. If the request contains an invalid value in the 'Sec-WebSocket-Version' header, it sets HTTP status to 400 and exits the function without setting the 'hctx->createenv' function pointer. Subsequently, when the server reaches the 'gwwriterequest' function and attempts to call 'hctx->createenv(hctx)', the null pointer dereference occurs, leading to a crash (Lighttpd Issue).

The vulnerability allows remote attackers to cause a denial of service condition by crashing the server through a null pointer dereference. This can result in service disruption for all users of the affected web server (Gentoo Security, Debian Security).

The vulnerability has been fixed in lighttpd version 1.4.67. Users are recommended to upgrade to this version or later. Various distributions have also released security updates, including Debian (version 1.4.59-1+deb11u2) and Gentoo (version 1.4.67) (Debian Security, Gentoo Security).