CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1695 – NGINX Unit Java Vulnerability
https://notcve.org/view.php?id=CVE-2025-1695
04 Mar 2025 — In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS). There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000149959 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23419 – TLS Session Resumption Vulnerability
https://notcve.org/view.php?id=CVE-2025-23419
05 Feb 2025 — When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client... • https://my.f5.com/manage/s/article/K000149173 • CWE-287: Improper Authentication •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10318 – NGINX OpenID Connect Vulnerability
https://notcve.org/view.php?id=CVE-2024-10318
06 Nov 2024 — A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session. • https://my.f5.com/manage/s/article/K000148232 • CWE-384: Session Fixation •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7634 – NGINX Agent Vulnerability
https://notcve.org/view.php?id=CVE-2024-7634
22 Aug 2024 — NGINX Agent's "config_dirs" restriction feature allows a highly privileged attacker to gain the ability to write/overwrite files outside of the designated secure directory. • https://my.f5.com/manage/s/article/K000140630 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7347 – NGINX MP4 module vulnerability
https://notcve.org/view.php?id=CVE-2024-7347
14 Aug 2024 — NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions w... • https://my.f5.com/manage/s/article/K000140529 • CWE-126: Buffer Over-read •
CVSS: 8.7EPSS: 1%CPEs: 2EXPL: 0CVE-2024-39792 – NGINX Plus MQTT vulnerability
https://notcve.org/view.php?id=CVE-2024-39792
14 Aug 2024 — When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000140108 • CWE-825: Expired Pointer Dereference •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34161 – NGINX HTTP/3 QUIC vulnerability
https://notcve.org/view.php?id=CVE-2024-34161
29 May 2024 — When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory. Cuando NGINX Plus o NGINX OSS están configurados para usar el módulo HTTP/3 QUIC y la infraestructura de red admite una unidad de transmisión máxima (MTU) de 4096 o más sin fragmentación, los paquetes QUIC no revelados pueden hacer... • http://www.openwall.com/lists/oss-security/2024/05/30/4 • CWE-416: Use After Free •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 0CVE-2024-35200 – NGINX HTTP/3 QUIC vulnerability
https://notcve.org/view.php?id=CVE-2024-35200
29 May 2024 — When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate. Cuando NGINX Plus o NGINX OSS están configurados para usar el módulo HTTP/3 QUIC, las solicitudes HTTP/3 no reveladas pueden hacer que los procesos de trabajo de NGINX finalicen. • http://www.openwall.com/lists/oss-security/2024/05/30/4 • CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 0CVE-2024-32760 – NGINX HTTP/3 QUIC vulnerability
https://notcve.org/view.php?id=CVE-2024-32760
29 May 2024 — When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact. Cuando NGINX Plus o NGINX OSS están configurados para usar el módulo HTTP/3 QUIC, las instrucciones del codificador HTTP/3 no divulgadas pueden hacer que los procesos de trabajo de NGINX finalicen o causen otro impacto potencial. • http://www.openwall.com/lists/oss-security/2024/05/30/4 • CWE-787: Out-of-bounds Write •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31079 – NGINX HTTP/3 QUIC vulnerability
https://notcve.org/view.php?id=CVE-2024-31079
29 May 2024 — When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over. Cuando NGINX Plus o NGINX OSS están configurados para usar el módulo HTTP/3 QUIC, las solicitudes HTTP/3 no divulgadas pueden hacer que los procesos de trabajo de NGIN... • http://www.openwall.com/lists/oss-security/2024/05/30/4 • CWE-121: Stack-based Buffer Overflow •