CVE-2024-31079 | THREATINT

Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over.

PUBLISHED Reserved 2024-05-14 | Published 2024-05-29 | Updated 2025-02-13 | Assigner f5

MEDIUM: 4.8CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-121 Stack-based Buffer Overflow

Product status

Default status

unknown

1.25.0 (semver) before 1.26.1

affected

Default status

unknown

R30 (custom) before R32

affected

Credits

F5 acknowledges Nils Bars of CISPA for bringing this issue to our attention and following the highest standards of coordinated disclosure. reporter

References

my.f5.com/manage/s/article/K000139611 vendor-advisory

lists.fedoraproject.org/...R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/

www.openwall.com/lists/oss-security/2024/05/30/4

lists.fedoraproject.org/...MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/

my.f5.com/manage/s/article/K000139611 vendor-advisory

lists.fedoraproject.org/...R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/

www.openwall.com/lists/oss-security/2024/05/30/4

lists.fedoraproject.org/...MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/

cve.org (CVE-2024-31079)

nvd.nist.gov (CVE-2024-31079)

Download JSON

help @ threatint.eu