← Back

CVE-2024-31079

nvd nist
Published: May 29, 2024Modified: Jan 24, 2025

JSON object

Loading...
4.8
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Exploitability: 2.2 / Impact: 2.5
Source: NVD

Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over.

Affected (8)

F5
2 products
Nginx Open Source
Nginx Plus
Fedoraproject
1 product
Fedora
Configuration A
6 vulnerable
Vulnerable SoftwareAffected Versions
Nginx Open Source
From 1.25.0 to 1.26.1
F5
Nginx Plus
Version r30
Nginx Plus
Version r30 p1
Nginx Plus
Version r30 p2
Nginx Plus
Version r31
Nginx Plus
Version r31 p1
Configuration B
2 vulnerable
Vulnerable SoftwareAffected Versions
Fedoraproject
Fedora
Version 39
Fedora
Version 40

Related CWEs

CWE-121
Stack-based Buffer Overflow
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-787
Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.

References (8)

Source: f5sirt@f5.com
Mailing List
Source: f5sirt@f5.com
Third Party Advisory
Source: f5sirt@f5.com
Third Party Advisory
Source: f5sirt@f5.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.