CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24990 – NGINX HTTP/3 QUIC vulnerability
https://notcve.org/view.php?id=CVE-2024-24990
14 Feb 2024 — When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Cuando NGINX Plus o NGINX OSS están configurados para usar el módulo HTTP/3 QUIC, las solici... • http://www.openwall.com/lists/oss-security/2024/05/30/4 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-24989 – NGINX HTTP/3 QUIC vulnerability
https://notcve.org/view.php?id=CVE-2024-24989
14 Feb 2024 — When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated Cuando NGINX Plus o NGINX OSS están configurados para usar el módulo HTTP/3 QUIC, las solici... • http://www.openwall.com/lists/oss-security/2024/05/30/4 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-28724 – NGINX Management Suite vulnerability
https://notcve.org/view.php?id=CVE-2023-28724
03 May 2023 — NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000133233 • CWE-276: Incorrect Default Permissions •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-28656 – NGINX Management Suite vulnerability
https://notcve.org/view.php?id=CVE-2023-28656
03 May 2023 — NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000133417 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-1550 – NGINX Agent vulnerability CVE-2023-1550
https://notcve.org/view.php?id=CVE-2023-1550
29 Mar 2023 — Insertion of Sensitive Information into log file vulnerability in NGINX Agent. NGINX Agent version 2.0 before 2.23.3 inserts sensitive information into a log file. An authenticated attacker with local access to read agent log files may gain access to private keys. This issue is only exposed when the non-default trace level logging is enabled. Note: NGINX Agent is included with NGINX Instance Manager and used in conjunction with NGINX API Connectivity Manager, and NGINX Management Suite Security Monitoring. • https://my.f5.com/manage/s/article/K000133135 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-41743 – NGINX ngx_http_hls_module vulnerability CVE-2022-41743
https://notcve.org/view.php?id=CVE-2022-41743
19 Oct 2022 — NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or potential other impact using a specially crafted audio or video file. The issue affects only NGINX Plus when the hls directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_hls_module. NGI... • https://support.f5.com/csp/article/K01112063 • CWE-787: Out-of-bounds Write •
CVSS: 7.1EPSS: 0%CPEs: 13EXPL: 0CVE-2022-41742 – NGINX ngx_http_mp4_module vulnerability CVE-2022-41742
https://notcve.org/view.php?id=CVE-2022-41742
19 Oct 2022 — NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used i... • https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 1%CPEs: 13EXPL: 1CVE-2022-41741 – NGINX ngx_http_mp4_module vulnerability CVE-2022-41741
https://notcve.org/view.php?id=CVE-2022-41741
19 Oct 2022 — NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the co... • https://github.com/dumbbutt0/evilMP4 • CWE-787: Out-of-bounds Write •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35241 – NGINX Instance Manager vulnerability CVE-2022-35241
https://notcve.org/view.php?id=CVE-2022-35241
04 Aug 2022 — In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En las versiones 2.x anteriores a la 2.3.1 y en todas las versiones de 1.x, cuando es usado NGINX Instance Manager, las peticiones no reveladas pueden causar un aumento en el uso de los recursos del disco. Nota: Las versiones de software que han alcanz... • https://support.f5.com/csp/article/K37080719 • CWE-400: Uncontrolled Resource Consumption •