CVE-2018-16845

nginx: Denial of service and memory disclosure via mp4 module

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.

nginx en versiones anteriores a la 1.15.6 y 1.14.1 tiene una vulnerabilidad en ngx_http_mp4_module, que podría permitir que un atacante provoque un bucle infinito en un proceso worker o resulte en la divulgación de la memoria del proceso mediante el uso de un archivo mp4 especialmente manipulado. El problema solo afecta a nginx si está incluido con ngx_http_mp4_module (el módulo no está incluido por defecto) y se emplea la directiva .mp4 en el archivo de configuración. Además, el atacante solo es posible si un atacante puede desencadenar el procesado de un archivo mp4 especialmente manipulado con ngx_http_mp4_module.

An instance of missing input sanitization was found in the mp4 module for nginx. A local attacker could create a specially crafted video file that, when streamed by the server, would cause a denial of service (server crash or hang) and, possibly, information disclosure.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-09-11 CVE Reserved
2018-11-07 CVE Published
2023-11-01 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-201: Insertion of Sensitive Information Into Sent Data
CWE-400: Uncontrolled Resource Consumption
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (16)

URL	Tag	Source
http://seclists.org/fulldisclosure/2021/Sep/36	Mailing List
http://www.securityfocus.com/bid/105868	Third Party Advisory
http://www.securitytracker.com/id/1042039	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845	Issue Tracking
https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html	Mailing List
https://support.apple.com/kb/HT212818	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html	2022-02-22
https://usn.ubuntu.com/3812-1	2022-02-22

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html	2022-02-22
https://access.redhat.com/errata/RHSA-2018:3652	2022-02-22
https://access.redhat.com/errata/RHSA-2018:3653	2022-02-22
https://access.redhat.com/errata/RHSA-2018:3680	2022-02-22
https://access.redhat.com/errata/RHSA-2018:3681	2022-02-22
https://www.debian.org/security/2018/dsa-4335	2022-02-22
https://access.redhat.com/security/cve/CVE-2018-16845	2018-11-27
https://bugzilla.redhat.com/show_bug.cgi?id=1644508	2018-11-27

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
F5 Search vendor "F5"		Nginx Search vendor "F5" for product "Nginx"				>= 1.0.7 <= 1.0.15 Search vendor "F5" for product "Nginx" and version " >= 1.0.7 <= 1.0.15"		-		Affected
F5 Search vendor "F5"		Nginx Search vendor "F5" for product "Nginx"				>= 1.1.3 <= 1.15.5 Search vendor "F5" for product "Nginx" and version " >= 1.1.3 <= 1.15.5"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Apple Search vendor "Apple"		Xcode Search vendor "Apple" for product "Xcode"				< 13.0 Search vendor "Apple" for product "Xcode" and version " < 13.0"		-		Affected