CVE-2024-24989

2024-02-1417:15:15

CWE-476

[email protected]

web.nvd.nist.gov

nginx

nginx plus

nginx oss

http/3

quic

security vulnerability

cve-2024-24989

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .

NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "modules": [
      "HTTP/3",
      "QUIC"
    ],
    "product": "NGINX Plus",
    "vendor": "F5",
    "versions": [
      {
        "lessThan": "R31 P1",
        "status": "affected",
        "version": "R31",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unknown",
    "modules": [
      "HTTP/3",
      "QUIC"
    ],
    "product": "NGINX Open Source",
    "vendor": "F5",
    "versions": [
      {
        "lessThan": "1.25.4",
        "status": "affected",
        "version": "1.25.3",
        "versionType": "semver"
      }
    ]
  }
]