CVE-2024-31079

2024-05-2916:15:09

CWE-121

[email protected]

web.nvd.nist.gov

nginx

http/3

quic

vulnerability

worker processes

termination

attack

connection draining

process

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

6.2 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over.

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "modules": [
      "HTTP/3"
    ],
    "product": "NGINX Open Source",
    "vendor": "F5",
    "versions": [
      {
        "lessThan": "1.26.1",
        "status": "affected",
        "version": "1.25.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unknown",
    "modules": [
      "HTTP/3"
    ],
    "product": "NGINX Plus",
    "vendor": "F5",
    "versions": [
      {
        "lessThan": "R32",
        "status": "affected",
        "version": "R30",
        "versionType": "custom"
      }
    ]
  }
]