CVE-2024-31079

2024-05-2916:15:09

Debian Security Bug Tracker

security-tracker.debian.org

nginx plus

nginx oss

http/3 requests

worker processes

connection draining

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over.

OSVersionArchitecturePackageVersionFilename
Debian12allnginx< 1.22.1-9nginx_1.22.1-9_all.deb
Debian11allnginx< 1.18.0-6.1+deb11u3nginx_1.18.0-6.1+deb11u3_all.deb
Debian10allnginx< 1.14.2-2+deb10u4nginx_1.14.2-2+deb10u4_all.deb
Debian999allnginx<= 1.26.0-1nginx_1.26.0-1_all.deb
Debian13allnginx<= 1.26.0-1nginx_1.26.0-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	nginx	< 1.22.1-9	nginx_1.22.1-9_all.deb
Debian	11	all	nginx	< 1.18.0-6.1+deb11u3	nginx_1.18.0-6.1+deb11u3_all.deb
Debian	10	all	nginx	< 1.14.2-2+deb10u4	nginx_1.14.2-2+deb10u4_all.deb
Debian	999	all	nginx	<= 1.26.0-1	nginx_1.26.0-1_all.deb
Debian	13	all	nginx	<= 1.26.0-1	nginx_1.26.0-1_all.deb