CVE-2024-31079
Severity CVSS v4.0:
Pending analysis
Type:
CWE-121
Stack-based Buffer Overflow
Publication date:
29/05/2024
Last modified:
24/01/2025
Description
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over.
Impact
Base Score 3.x
4.80
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:* | 1.25.0 (including) | 1.26.1 (excluding) |
| cpe:2.3:a:f5:nginx_plus:r30:-:*:*:*:*:*:* | ||
| cpe:2.3:a:f5:nginx_plus:r30:p1:*:*:*:*:*:* | ||
| cpe:2.3:a:f5:nginx_plus:r30:p2:*:*:*:*:*:* | ||
| cpe:2.3:a:f5:nginx_plus:r31:-:*:*:*:*:*:* | ||
| cpe:2.3:a:f5:nginx_plus:r31:p1:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.openwall.com/lists/oss-security/2024/05/30/4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/
- https://my.f5.com/manage/s/article/K000139611
- http://www.openwall.com/lists/oss-security/2024/05/30/4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/
- https://my.f5.com/manage/s/article/K000139611