Lucene search

F5CVE-2024-7347

HistoryAug 14, 2024 - 3:15 p.m.

CVE-2024-7347

2024-08-1415:15:31

CWE-126

CWE-125

web.nvd.nist.gov

nginx

vulnerability

ngx_http_mp4_module

attacker

mp4 file

memory

termination

CVSS3

4.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS4

5.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/SC:N/VI:N/SI:N/VA:H/SA:N

AI Score

4.7

Confidence

High

EPSS

Percentile

13.3%

JSON

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected configurations

Nvd

Node

f5nginx_open_sourceRange1.5.13–1.26.2

f5nginx_plusRanger27–r31

f5nginx_plusMatchr31-

f5nginx_plusMatchr31p1

f5nginx_plusMatchr32-

VendorProductVersionCPE
f5nginx_open_source*cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
f5nginx_plus*cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:*
f5nginx_plusr31cpe:2.3:a:f5:nginx_plus:r31:-:*:*:*:*:*:*
f5nginx_plusr31cpe:2.3:a:f5:nginx_plus:r31:p1:*:*:*:*:*:*
f5nginx_plusr32cpe:2.3:a:f5:nginx_plus:r32:-:*:*:*:*:*:*

Vendor	Product	Version	CPE
f5	nginx_open_source	*	cpe:2.3:a:f5:nginx_open_source::::::::
f5	nginx_plus	*	cpe:2.3:a:f5:nginx_plus::::::::
f5	nginx_plus	r31	cpe:2.3:a:f5:nginx_plus:r31:-::::::
f5	nginx_plus	r31	cpe:2.3:a:f5:nginx_plus:r31:p1::::::
f5	nginx_plus	r32	cpe:2.3:a:f5:nginx_plus:r32:-::::::

CNA Affected

[
  {
    "vendor": "F5",
    "product": "NGINX Open Source",
    "modules": [
      "ngx_http_mp4_module"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "1.5.13",
        "lessThan": "*",
        "changes": [
          {
            "at": "1.26.2",
            "status": "unaffected"
          },
          {
            "at": "1.27.1",
            "status": "unaffected"
          }
        ],
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "F5",
    "product": "NGINX Plus",
    "modules": [
      "ngx_http_m4_module"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "R4",
        "lessThan": "*",
        "changes": [
          {
            "at": "R31 P3",
            "status": "unaffected"
          },
          {
            "at": "R32 P1",
            "status": "unaffected"
          }
        ],
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]