6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
7.3 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%
Security Advisory Description
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause other potential impact. (CVE-2024-32760)
Note: This issue affects NGINX systems compiled with thengx_http_v3_modulemodule, where the configuration contains alistendirective with thequic option enabled. The HTTP/3 QUIC module is considered an experimental feature and is not compiled by default in NGINX OSS, but it is compiled by default in NGINX Plus. For more information, refer to Support for QUIC and HTTP/3. Additionally, because users control their own custom build environments, certain security measures may not be implemented in the users’ build configurations. These security measures may include memory-related build and system configuration options. Consequently, the severity of the impact depends on whether users build the software with or without security options or utilize pre-built binaries, which include security protections by default.
Impact
Client traffic may be disrupted while the worker process restarts. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) or other potential impact. There is no control plane exposure; this is a data plane issue only.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
7.3 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%