CVE-2024-34161
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
29/05/2024
Last modified:
24/01/2025
Description
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:* | 1.25.0 (including) | 1.26.1 (excluding) |
| cpe:2.3:a:f5:nginx_plus:r30:-:*:*:*:*:*:* | ||
| cpe:2.3:a:f5:nginx_plus:r30:p1:*:*:*:*:*:* | ||
| cpe:2.3:a:f5:nginx_plus:r30:p2:*:*:*:*:*:* | ||
| cpe:2.3:a:f5:nginx_plus:r31:-:*:*:*:*:*:* | ||
| cpe:2.3:a:f5:nginx_plus:r31:p1:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.openwall.com/lists/oss-security/2024/05/30/4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/
- https://my.f5.com/manage/s/article/K000139627
- http://www.openwall.com/lists/oss-security/2024/05/30/4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/
- https://my.f5.com/manage/s/article/K000139627