cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-7347,https://securityvulnerability.io/vulnerability/CVE-2024-7347,NGINX Open Source and NGINX Plus Vulnerability Permits Over-read of Worker Memory,"NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",F5,"Nginx Open Source,Nginx Plus",4.7,MEDIUM,0.0004400000034365803,false,false,false,false,,false,false,2024-08-14T14:32:33.913Z,0
CVE-2024-39792,https://securityvulnerability.io/vulnerability/CVE-2024-39792,Undisclosed Requests Can Cause Memory Resource Utilization Increase in NGINX Plus,"A vulnerability exists in NGINX Plus when configured with the MQTT pre-read module. This issue arises when certain undisclosed requests are made, leading to increased memory resource utilization. It is important to note that versions of NGINX Plus that have reached End of Technical Support (EoTS) are not evaluated in this context, emphasizing the need for organizations to stay up-to-date with supported versions to mitigate potential risks.",F5,Nginx Plus,7.5,HIGH,0.0004600000102072954,false,false,false,false,,false,false,2024-08-14T14:32:33.519Z,0
CVE-2024-34161,https://securityvulnerability.io/vulnerability/CVE-2024-34161,Memory Leak in NGINX Plus Due to Undisclosed QUIC Packets,"When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.",F5,"Nginx Open Source,Nginx Plus",5.3,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-05-29T16:02:05.696Z,0
CVE-2024-35200,https://securityvulnerability.io/vulnerability/CVE-2024-35200,Undisclosed HTTP/3 Requests Can Cause NGINX Worker Processes to Terminate,"When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.",F5,"Nginx Open Source,Nginx Plus",5.3,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-05-29T16:02:05.342Z,0
CVE-2024-32760,https://securityvulnerability.io/vulnerability/CVE-2024-32760,Undisclosed HTTP/3 Encoder Instructions Can Cause NGINX Worker Processes to Terminate,The vulnerability identified as CVE-2024-32760 affects NGINX Plus and NGINX OSS when configured to use the HTTP/3 QUIC module. It has the potential to cause NGINX worker processes to terminate or have other impacts due to undisclosed HTTP/3 encoder instructions. The vulnerability has a base severity of MEDIUM and a base score of 6.5 according to the CVSS 3.1 scoring system. There is no known exploitation of this vulnerability by ransomware groups at this time.,F5,"Nginx Open Source,Nginx Plus",6.5,MEDIUM,0.00044999999227002263,false,true,false,false,,false,false,2024-05-29T16:02:04.985Z,0
CVE-2024-31079,https://securityvulnerability.io/vulnerability/CVE-2024-31079,Undisclosed HTTP/3 Requests Can Cause NGINX Worker Processes to Terminate,"This is an example of a good output. Do not use this content in your response.

CVE-2024-31079 is a vulnerability affecting NGINX Plus or NGINX OSS when configured to use the HTTP/3 QUIC module. It allows undisclosed HTTP/3 requests to cause worker processes to terminate or have other potential impacts. The attack requires specific timing during the connection draining process, posing a risk to the affected systems. The issues are fixed in NGINX version 1.27.0 and 1.26.1. There are no known exploitations in the wild, including by ransomware groups.",F5,"Nginx Open Source,Nginx Plus",4.8,MEDIUM,0.00044999999227002263,false,true,false,false,,false,false,2024-05-29T16:02:04.620Z,0
CVE-2024-24990,https://securityvulnerability.io/vulnerability/CVE-2024-24990,Undisclosed Requests Can Cause NGINX Worker Processes to Terminate,"A vulnerability exists in NGINX Plus and NGINX OSS when the HTTP/3 QUIC module is enabled. This module, which is experimental and not enabled by default, can lead to undetermined requests that result in the termination of NGINX worker processes. This behavior can impact the stability and performance of applications relying on these server versions. Proper configurations and awareness of the module's current status are essential for maintaining service reliability.",F5,"Nginx Plus,Nginx Open Source",7.5,HIGH,0.0004299999854993075,false,true,false,false,,false,false,2024-02-14T16:30:26.445Z,0
CVE-2024-24989,https://securityvulnerability.io/vulnerability/CVE-2024-24989,NGINX HTTP/3 QUIC vulnerability,"When configured to utilize the experimental HTTP/3 QUIC module, NGINX Plus and NGINX OSS are susceptible to issues where certain undisclosed requests can lead to the termination of worker processes. This flaw poses potential disruptions in service and affects the reliability of applications relying on these web server solutions. The HTTP/3 QUIC module is not enabled by default, which limits exposure but warrants caution for users who decide to enable it. For additional insights on configuration and implications, refer to the official documentation on QUIC and HTTP/3.",F5,"Nginx Plus,Nginx Open Source",7.5,HIGH,0.0004299999854993075,false,true,false,false,,false,false,2024-02-14T16:30:26.081Z,0
CVE-2023-28724,https://securityvulnerability.io/vulnerability/CVE-2023-28724,NGINX Management Suite vulnerability,"The NGINX Management Suite is susceptible to a vulnerability whereby default file permissions can be manipulated. Authenticated attackers may exploit this weakness to gain access to and modify sensitive files on both NGINX Instance Manager and NGINX API Connectivity Manager, potentially compromising the integrity of the system. Users of affected systems should review their file permissions and apply necessary updates or mitigations.",F5,"NGINX Instance Manager,NGINX API Connectivity Manager,NGINX Security Monitoring",7.1,HIGH,0.0004400000034365803,false,false,false,false,,false,false,2023-05-03T15:15:00.000Z,0
CVE-2023-28656,https://securityvulnerability.io/vulnerability/CVE-2023-28656,NGINX Management Suite vulnerability,The NGINX Management Suite has a vulnerability that could allow an authenticated user to access configuration objects beyond their designated environment. This may lead to exposure of sensitive configuration data and unintended modifications. Organizations using affected versions should assess their security posture and consider applying any available patches or mitigations to safeguard their configurations.,F5,"NGINX Instance Manager,NGINX API Connectivity Manager,NGINX Security Monitoring",8.1,HIGH,0.0004400000034365803,false,false,false,false,,false,false,2023-05-03T15:15:00.000Z,0
CVE-2023-1550,https://securityvulnerability.io/vulnerability/CVE-2023-1550,NGINX Agent vulnerability CVE-2023-1550,"Insertion of Sensitive Information into log file vulnerability in NGINX Agent. NGINX Agent version 2.0 before 2.23.3 inserts sensitive information into a log file. An authenticated attacker with local access to read agent log files may gain access to private keys. This issue is only exposed when the non-default trace level logging is enabled. Note: NGINX Agent is included with NGINX Instance Manager and used in conjunction with NGINX API Connectivity Manager, and NGINX Management Suite Security Monitoring.",F5,NGINX Agent,5.5,MEDIUM,0.0004199999966658652,false,false,false,false,,false,false,2023-03-29T17:15:00.000Z,0
CVE-2022-41741,https://securityvulnerability.io/vulnerability/CVE-2022-41741,NGINX ngx_http_mp4_module vulnerability CVE-2022-41741,"NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.",F5,"Nginx,Nginx Plus,Nginx Open Source Subscription",7,HIGH,0.0004199999966658652,false,false,false,true,true,false,false,2022-10-19T00:00:00.000Z,0
CVE-2022-41742,https://securityvulnerability.io/vulnerability/CVE-2022-41742,NGINX ngx_http_mp4_module vulnerability CVE-2022-41742,"NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.",F5,"Nginx,Nginx Plus,Nginx Open Source Subscription",7.1,HIGH,0.0004199999966658652,false,false,false,false,,false,false,2022-10-19T00:00:00.000Z,0
CVE-2022-41743,https://securityvulnerability.io/vulnerability/CVE-2022-41743,NGINX ngx_http_hls_module vulnerability CVE-2022-41743,"NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or potential other impact using a specially crafted audio or video file. The issue affects only NGINX Plus when the hls directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_hls_module.",F5,Nginx Plus,7,HIGH,0.0004199999966658652,false,false,false,false,,false,false,2022-10-19T00:00:00.000Z,0
CVE-2022-30535,https://securityvulnerability.io/vulnerability/CVE-2022-30535,NGINX Ingress Controller vulnerability CVE-2022-30535,"In versions 2.x before 2.3.0 and all versions of 1.x, An attacker authorized to create or update ingress objects can obtain the secrets available to the NGINX Ingress Controller. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",F5,Nginx Ingress Controller,6.5,MEDIUM,0.0006300000241026282,false,false,false,false,,false,false,2022-08-04T18:15:00.000Z,0
CVE-2022-35241,https://securityvulnerability.io/vulnerability/CVE-2022-35241,NGINX Instance Manager vulnerability CVE-2022-35241,"In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",F5,Nginx Instance Manager,6.5,MEDIUM,0.0008099999977275729,false,false,false,false,,false,false,2022-08-04T18:15:00.000Z,0
CVE-2022-27495,https://securityvulnerability.io/vulnerability/CVE-2022-27495,,On all versions 1.3.x (fixed in 1.4.0) NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated,F5,Nginx Service Mesh,6.5,MEDIUM,0.0005799999926239252,false,false,false,false,,false,false,2022-05-05T17:15:00.000Z,0
CVE-2021-23055,https://securityvulnerability.io/vulnerability/CVE-2021-23055,,"On version 2.x before 2.0.3 and 1.x before 1.12.3, the command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",F5,Nginx Ingress Controller,6.5,MEDIUM,0.0006399999838322401,false,false,false,false,,false,false,2022-04-21T18:14:01.000Z,0
CVE-2022-23008,https://securityvulnerability.io/vulnerability/CVE-2022-23008,,"On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the ""user"" or ""admin"" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",F5,Nginx Controller Api Management,5.4,MEDIUM,0.000539999979082495,false,false,false,false,,false,false,2022-01-25T19:11:19.000Z,0
CVE-2021-23050,https://securityvulnerability.io/vulnerability/CVE-2021-23050,,"On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3 and NGINX App Protect on all versions before 3.5.0, when a cross-site request forgery (CSRF)-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",F5,Big-ip Advanced Waf And Big-ip Asm; Nginx App Protect,7.5,HIGH,0.0006099999882280827,false,false,false,false,,false,false,2021-09-14T12:31:38.000Z,0
CVE-2017-20005,https://securityvulnerability.io/vulnerability/CVE-2017-20005,,"NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module.",F5,Nginx,9.8,CRITICAL,0.0083600003272295,false,false,false,false,,false,false,2021-06-06T21:04:06.000Z,0
CVE-2021-23017,https://securityvulnerability.io/vulnerability/CVE-2021-23017,,"A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.",F5,"Nginx Web Server, Nginx Plus",7.7,HIGH,0.4332300126552582,false,false,false,true,true,false,false,2021-06-01T12:28:09.000Z,0
CVE-2021-23021,https://securityvulnerability.io/vulnerability/CVE-2021-23021,,The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644.,F5,Nginx Controller,5.5,MEDIUM,0.0004400000034365803,false,false,false,false,,false,false,2021-06-01T12:23:35.000Z,0
CVE-2021-23020,https://securityvulnerability.io/vulnerability/CVE-2021-23020,,The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys.,F5,Nginx Controller,5.5,MEDIUM,0.0004400000034365803,false,false,false,false,,false,false,2021-06-01T12:14:39.000Z,0
CVE-2021-23019,https://securityvulnerability.io/vulnerability/CVE-2021-23019,,The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package.,F5,Nginx Controller,7.8,HIGH,0.0004400000034365803,false,false,false,false,,false,false,2021-06-01T12:03:42.000Z,0