ID FC28DF92-B233-11E3-99CA-F0DEF16C5C1B Type freebsd Reporter FreeBSD Modified 2014-03-18T00:00:00
Description
The nginx project reports:
A bug in the experimental SPDY implementation in nginx was found, which
might allow an attacker to cause a heap memory buffer overflow in a
worker process by using a specially crafted request, potentially
resulting in arbitrary code execution (CVE-2014-0133).
The problem affects nginx 1.3.15 - 1.5.11, compiled with the
ngx_http_spdy_module module (which is not compiled by default) and
without --with-debug configure option, if the "spdy" option of the
"listen" directive is used in a configuration file.
The problem is fixed in nginx 1.5.12, 1.4.7.
{"id": "FC28DF92-B233-11E3-99CA-F0DEF16C5C1B", "bulletinFamily": "unix", "title": "nginx -- SPDY heap buffer overflow", "description": "\nThe nginx project reports:\n\nA bug in the experimental SPDY implementation in nginx was found, which\n\t might allow an attacker to cause a heap memory buffer overflow in a\n\t worker process by using a specially crafted request, potentially\n\t resulting in arbitrary code execution (CVE-2014-0133).\nThe problem affects nginx 1.3.15 - 1.5.11, compiled with the\n\t ngx_http_spdy_module module (which is not compiled by default) and\n\t without --with-debug configure option, if the \"spdy\" option of the\n\t \"listen\" directive is used in a configuration file.\nThe problem is fixed in nginx 1.5.12, 1.4.7.\n\n", "published": "2014-03-18T00:00:00", "modified": "2014-03-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://vuxml.freebsd.org/freebsd/fc28df92-b233-11e3-99ca-f0def16c5c1b.html", "reporter": "FreeBSD", "references": ["http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html"], "cvelist": ["CVE-2014-0133"], "type": "freebsd", "lastseen": "2021-07-28T14:48:18", "edition": 6, "viewCount": 37, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-0133"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2014-0133"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310120529", "OPENVAS:1361412562310121223"]}, {"type": "nessus", "idList": ["ALA_ALAS-2014-308.NASL", "FREEBSD_PKG_DA4B89ADB28F11E399CAF0DEF16C5C1B.NASL", "GENTOO_GLSA-201406-20.NASL", "NGINX_1_5_12.NASL", "OPENSUSE-2014-258.NASL", "FREEBSD_PKG_FC28DF92B23311E399CAF0DEF16C5C1B.NASL", "MANDRIVA_MDVSA-2015-094.NASL"]}, {"type": "nginx", "idList": ["NGINX:CVE-2014-0133"]}, {"type": "freebsd", "idList": ["DA4B89AD-B28F-11E3-99CA-F0DEF16C5C1B"]}, {"type": "amazon", "idList": ["ALAS-2014-308"]}, {"type": "seebug", "idList": ["SSV:62014"]}, {"type": "gentoo", "idList": ["GLSA-201406-20"]}, {"type": "hackerone", "idList": ["H1:4690", "H1:168485"]}, {"type": "kitploit", "idList": ["KITPLOIT:1420567869239222035"]}], "modified": "2021-07-28T14:48:18", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-07-28T14:48:18", "rev": 2}, "vulnersScore": 6.5}, "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "nginx", "packageVersion": "1.4.7"}], "scheme": null, "immutableFields": [], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}}
{"ubuntucve": [{"lastseen": "2021-07-31T01:05:21", "description": "Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15\nbefore 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute\narbitrary code via a crafted request.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742059>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | not affected as we build with --with-debug \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | saucy was affected, not all flavors used --with-debug\n", "cvss3": {}, "published": "2014-03-28T00:00:00", "type": "ubuntucve", "title": "CVE-2014-0133", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2014-03-28T00:00:00", "id": "UB:CVE-2014-0133", "href": "https://ubuntu.com/security/CVE-2014-0133", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-04-22T23:44:08", "description": "Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request.", "edition": 8, "cvss3": {}, "published": "2014-03-28T15:55:00", "title": "CVE-2014-0133", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2020-11-16T20:12:00", "cpe": ["cpe:/o:opensuse:opensuse:13.1", "cpe:/a:nginx:nginx:1.5.11"], "id": "CVE-2014-0133", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0133", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "cpe:2.3:a:nginx:nginx:1.5.11:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-07-29T00:23:14", "description": "The remote host is affected by the vulnerability described in GLSA-201406-20\n(nginx: Arbitrary code execution)\n\n A bug in the SPDY implementation in nginx was found which might cause a\n heap memory buffer overflow in a worker process by using a specially\n crafted request. The SPDY implementation is not enabled in default\n configurations.\n \nImpact :\n\n A remote attacker could cause execution of arbitrary code by using a\n specially crafted request.\n \nWorkaround :\n\n Disable the spdy module in NGINX_MODULES_HTTP.", "edition": 23, "cvss3": {}, "published": "2014-06-23T00:00:00", "title": "GLSA-201406-20 : nginx: Arbitrary code execution", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2014-06-23T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:nginx", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201406-20.NASL", "href": "https://www.tenable.com/plugins/nessus/76179", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201406-20.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76179);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-0133\");\n script_bugtraq_id(66537);\n script_xref(name:\"GLSA\", value:\"201406-20\");\n\n script_name(english:\"GLSA-201406-20 : nginx: Arbitrary code execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201406-20\n(nginx: Arbitrary code execution)\n\n A bug in the SPDY implementation in nginx was found which might cause a\n heap memory buffer overflow in a worker process by using a specially\n crafted request. The SPDY implementation is not enabled in default\n configurations.\n \nImpact :\n\n A remote attacker could cause execution of arbitrary code by using a\n specially crafted request.\n \nWorkaround :\n\n Disable the spdy module in NGINX_MODULES_HTTP.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201406-20\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All nginx users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-servers/nginx-1.4.7'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:nginx\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-servers/nginx\", unaffected:make_list(\"ge 1.4.7\"), vulnerable:make_list(\"lt 1.4.7\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nginx\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-29T00:16:27", "description": "The nginx project reports :\n\nA bug in the experimental SPDY implementation in nginx was found,\nwhich might allow an attacker to cause a heap memory buffer overflow\nin a worker process by using a specially crafted request, potentially\nresulting in arbitrary code execution (CVE-2014-0133).\n\nThe problem affects nginx 1.3.15 - 1.5.11, compiled with the\nngx_http_spdy_module module (which is not compiled by default) and\nwithout --with-debug configure option, if the 'spdy' option of the\n'listen' directive is used in a configuration file.\n\nThe problem is fixed in nginx 1.5.12, 1.4.7.", "edition": 23, "cvss3": {}, "published": "2014-03-24T00:00:00", "title": "FreeBSD : nginx-devel -- SPDY heap buffer overflow (da4b89ad-b28f-11e3-99ca-f0def16c5c1b)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2014-03-24T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:nginx-devel"], "id": "FREEBSD_PKG_DA4B89ADB28F11E399CAF0DEF16C5C1B.NASL", "href": "https://www.tenable.com/plugins/nessus/73153", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73153);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-0133\");\n\n script_name(english:\"FreeBSD : nginx-devel -- SPDY heap buffer overflow (da4b89ad-b28f-11e3-99ca-f0def16c5c1b)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The nginx project reports :\n\nA bug in the experimental SPDY implementation in nginx was found,\nwhich might allow an attacker to cause a heap memory buffer overflow\nin a worker process by using a specially crafted request, potentially\nresulting in arbitrary code execution (CVE-2014-0133).\n\nThe problem affects nginx 1.3.15 - 1.5.11, compiled with the\nngx_http_spdy_module module (which is not compiled by default) and\nwithout --with-debug configure option, if the 'spdy' option of the\n'listen' directive is used in a configuration file.\n\nThe problem is fixed in nginx 1.5.12, 1.4.7.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html\"\n );\n # https://vuxml.freebsd.org/freebsd/da4b89ad-b28f-11e3-99ca-f0def16c5c1b.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?555a938c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:nginx-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"nginx-devel>=1.3.15<1.5.12\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-29T00:17:40", "description": "The nginx project reports :\n\nA bug in the experimental SPDY implementation in nginx was found,\nwhich might allow an attacker to cause a heap memory buffer overflow\nin a worker process by using a specially crafted request, potentially\nresulting in arbitrary code execution (CVE-2014-0133).\n\nThe problem affects nginx 1.3.15 - 1.5.11, compiled with the\nngx_http_spdy_module module (which is not compiled by default) and\nwithout --with-debug configure option, if the 'spdy' option of the\n'listen' directive is used in a configuration file.\n\nThe problem is fixed in nginx 1.5.12, 1.4.7.", "edition": 23, "cvss3": {}, "published": "2014-03-24T00:00:00", "title": "FreeBSD : nginx -- SPDY heap buffer overflow (fc28df92-b233-11e3-99ca-f0def16c5c1b)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2014-03-24T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:nginx"], "id": "FREEBSD_PKG_FC28DF92B23311E399CAF0DEF16C5C1B.NASL", "href": "https://www.tenable.com/plugins/nessus/73154", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73154);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-0133\");\n\n script_name(english:\"FreeBSD : nginx -- SPDY heap buffer overflow (fc28df92-b233-11e3-99ca-f0def16c5c1b)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The nginx project reports :\n\nA bug in the experimental SPDY implementation in nginx was found,\nwhich might allow an attacker to cause a heap memory buffer overflow\nin a worker process by using a specially crafted request, potentially\nresulting in arbitrary code execution (CVE-2014-0133).\n\nThe problem affects nginx 1.3.15 - 1.5.11, compiled with the\nngx_http_spdy_module module (which is not compiled by default) and\nwithout --with-debug configure option, if the 'spdy' option of the\n'listen' directive is used in a configuration file.\n\nThe problem is fixed in nginx 1.5.12, 1.4.7.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html\"\n );\n # https://vuxml.freebsd.org/freebsd/fc28df92-b233-11e3-99ca-f0def16c5c1b.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?65611bb6\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:nginx\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"nginx<1.4.7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-29T01:42:14", "description": "According to the self-reported version in the server response header,\nthe installed 1.3.x version of nginx is 1.3.15 or higher, or 1.4.x\nprior to 1.4.7, or 1.5.x prior to 1.5.12. It is, therefore, affected\nby a heap buffer overflow vulnerability.\n\nA flaw exists with the SPDY protocol implementation where user input\nis not properly validated. This could allow a remote attacker to cause\na heap-based buffer overflow, causing a denial of service or potential\narbitrary code execution.\n\nNote that Nessus has not tested for this issue but has instead\nrelied only on the application's self-reported version number.", "edition": 22, "cvss3": {}, "published": "2014-04-15T00:00:00", "title": "nginx < 1.4.7 / 1.5.12 SPDY Heap Buffer Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2014-04-15T00:00:00", "cpe": ["cpe:/a:nginx:nginx"], "id": "NGINX_1_5_12.NASL", "href": "https://www.tenable.com/plugins/nessus/73519", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73519);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/07\");\n\n script_cve_id(\"CVE-2014-0133\");\n script_bugtraq_id(66537);\n\n script_name(english:\"nginx < 1.4.7 / 1.5.12 SPDY Heap Buffer Overflow\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a heap buffer overflow\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the self-reported version in the server response header,\nthe installed 1.3.x version of nginx is 1.3.15 or higher, or 1.4.x\nprior to 1.4.7, or 1.5.x prior to 1.5.12. It is, therefore, affected\nby a heap buffer overflow vulnerability.\n\nA flaw exists with the SPDY protocol implementation where user input\nis not properly validated. This could allow a remote attacker to cause\na heap-based buffer overflow, causing a denial of service or potential\narbitrary code execution.\n\nNote that Nessus has not tested for this issue but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://nginx.org/en/security_advisories.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://nginx.org/download/patch.2014.spdy2.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"http://nginx.org/en/CHANGES-1.4\");\n script_set_attribute(attribute:\"see_also\", value:\"http://nginx.org/en/CHANGES\");\n script_set_attribute(attribute:\"solution\", value:\"Apply the patch manually or upgrade to nginx 1.4.7 / 1.5.12 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0133\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:nginx:nginx\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nginx_detect.nasl\", \"nginx_nix_installed.nbin\");\n script_require_keys(\"installed_sw/nginx\"); \n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nappname = 'nginx';\nget_install_count(app_name:appname, exit_if_zero:TRUE);\napp_info = vcf::combined_get_app_info(app:appname);\n\nvcf::check_all_backporting(app_info:app_info);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n# If the detection is only remote, Detection Method won't be set, and we should require paranoia\nif (empty_or_null(app_info['Detection Method']) && report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nconstraints = [\n {'fixed_version' : '1.4.7', 'min_version' : '1.3.15'},\n {'fixed_version' : '1.5.12', 'min_version' : '1.5.0'}];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-29T01:46:17", "description": "nginx was updated to 1.4.7 to fix bugs and security issues.\n\nFixed security issues :\n\n - CVE-2014-0133: nginx:heap-based buffer overflow in SPDY\n implementation\n\nNew upstream release 1.4.7 (bnc#869076) (CVE-2014-0133)\n\n*) Security: a heap memory buffer overflow might occur in a worker\nprocess while handling a specially crafted request by\nngx_http_spdy_module, potentially resulting in arbitrary code\nexecution (CVE-2014-0133). Thanks to Lucas Molas, researcher at\nPrograma STIC, Fundación Dr. Manuel Sadosky, Buenos Aires,\nArgentina.\n\n*) Bugfix: in the 'fastcgi_next_upstream' directive. Thanks\nto Lucas Molas.\n\n*) Bugfix: the 'client_max_body_size' directive might not\nwork when reading a request body using chunked transfer\nencoding; the bug had appeared in 1.3.9. Thanks to Lucas\nMolas.\n\n*) Bugfix: a segmentation fault might occur in a worker\nprocess when proxying WebSocket connections.\n\n*) Bugfix: the $ssl_session_id variable contained full\nsession serialized instead of just a session id. Thanks to\nIvan Ristić.\n\n*) Bugfix: client connections might be immediately closed if\ndeferred accept was used; the bug had appeared in 1.3.15.\n\n*) Bugfix: alerts 'zero size buf in output' might appear in\nlogs while proxying; the bug had appeared in 1.3.9.\n\n*) Bugfix: a segmentation fault might occur in a worker\nprocess if the ngx_http_spdy_module was used.\n\n*) Bugfix: proxied WebSocket connections might hang right\nafter handshake if the select, poll, or /dev/poll methods\nwere used.\n\n*) Bugfix: a timeout might occur while reading client\nrequest body in an SSL connection using chunked transfer\nencoding.\n\n*) Bugfix: memory leak in nginx/Windows.", "edition": 20, "cvss3": {}, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : nginx (openSUSE-SU-2014:0450-1)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:nginx-debuginfo", "p-cpe:/a:novell:opensuse:nginx-debugsource", "p-cpe:/a:novell:opensuse:nginx", "cpe:/o:novell:opensuse:13.1"], "id": "OPENSUSE-2014-258.NASL", "href": "https://www.tenable.com/plugins/nessus/75309", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-258.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75309);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-0133\");\n\n script_name(english:\"openSUSE Security Update : nginx (openSUSE-SU-2014:0450-1)\");\n script_summary(english:\"Check for the openSUSE-2014-258 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"nginx was updated to 1.4.7 to fix bugs and security issues.\n\nFixed security issues :\n\n - CVE-2014-0133: nginx:heap-based buffer overflow in SPDY\n implementation\n\nNew upstream release 1.4.7 (bnc#869076) (CVE-2014-0133)\n\n*) Security: a heap memory buffer overflow might occur in a worker\nprocess while handling a specially crafted request by\nngx_http_spdy_module, potentially resulting in arbitrary code\nexecution (CVE-2014-0133). Thanks to Lucas Molas, researcher at\nPrograma STIC, Fundación Dr. Manuel Sadosky, Buenos Aires,\nArgentina.\n\n*) Bugfix: in the 'fastcgi_next_upstream' directive. Thanks\nto Lucas Molas.\n\n*) Bugfix: the 'client_max_body_size' directive might not\nwork when reading a request body using chunked transfer\nencoding; the bug had appeared in 1.3.9. Thanks to Lucas\nMolas.\n\n*) Bugfix: a segmentation fault might occur in a worker\nprocess when proxying WebSocket connections.\n\n*) Bugfix: the $ssl_session_id variable contained full\nsession serialized instead of just a session id. Thanks to\nIvan Ristić.\n\n*) Bugfix: client connections might be immediately closed if\ndeferred accept was used; the bug had appeared in 1.3.15.\n\n*) Bugfix: alerts 'zero size buf in output' might appear in\nlogs while proxying; the bug had appeared in 1.3.9.\n\n*) Bugfix: a segmentation fault might occur in a worker\nprocess if the ngx_http_spdy_module was used.\n\n*) Bugfix: proxied WebSocket connections might hang right\nafter handshake if the select, poll, or /dev/poll methods\nwere used.\n\n*) Bugfix: a timeout might occur while reading client\nrequest body in an SSL connection using chunked transfer\nencoding.\n\n*) Bugfix: memory leak in nginx/Windows.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=869076\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2014-03/msg00095.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected nginx packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nginx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nginx-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nginx-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"nginx-1.4.7-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"nginx-debuginfo-1.4.7-3.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"nginx-debugsource-1.4.7-3.9.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nginx\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-01T06:33:47", "description": "Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15\nbefore 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to\nexecute arbitrary code via a crafted request.", "edition": 31, "cvss3": {}, "published": "2014-03-28T00:00:00", "title": "Amazon Linux AMI : nginx (ALAS-2014-308)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2021-08-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:nginx", "p-cpe:/a:amazon:linux:nginx-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2014-308.NASL", "href": "https://www.tenable.com/plugins/nessus/73227", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-308.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73227);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-0133\");\n script_xref(name:\"ALAS\", value:\"2014-308\");\n\n script_name(english:\"Amazon Linux AMI : nginx (ALAS-2014-308)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15\nbefore 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to\nexecute arbitrary code via a crafted request.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-308.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update nginx' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nginx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nginx-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"nginx-1.4.7-1.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nginx-debuginfo-1.4.7-1.17.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nginx / nginx-debuginfo\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-29T01:24:03", "description": "Updated nginx package fixes security vulnerabilities :\n\nA bug in the experimental SPDY implementation in nginx was found,\nwhich might allow an attacker to cause a heap memory buffer overflow\nin a worker process by using a specially crafted request, potentially\nresulting in arbitrary code execution (CVE-2014-0133).\n\nAntoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it\nwas possible to reuse cached SSL sessions in unrelated contexts,\nallowing virtual host confusion attacks in some configurations by an\nattacker in a privileged network position (CVE-2014-3616).", "edition": 25, "cvss3": {}, "published": "2015-03-30T00:00:00", "title": "Mandriva Linux Security Advisory : nginx (MDVSA-2015:094)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133", "CVE-2014-3616"], "modified": "2015-03-30T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:2", "p-cpe:/a:mandriva:linux:nginx"], "id": "MANDRIVA_MDVSA-2015-094.NASL", "href": "https://www.tenable.com/plugins/nessus/82347", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:094. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82347);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-0133\", \"CVE-2014-3616\");\n script_xref(name:\"MDVSA\", value:\"2015:094\");\n\n script_name(english:\"Mandriva Linux Security Advisory : nginx (MDVSA-2015:094)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandriva Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated nginx package fixes security vulnerabilities :\n\nA bug in the experimental SPDY implementation in nginx was found,\nwhich might allow an attacker to cause a heap memory buffer overflow\nin a worker process by using a specially crafted request, potentially\nresulting in arbitrary code execution (CVE-2014-0133).\n\nAntoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it\nwas possible to reuse cached SSL sessions in unrelated contexts,\nallowing virtual host confusion attacks in some configurations by an\nattacker in a privileged network position (CVE-2014-3616).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0136.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0427.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nginx package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:nginx\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"nginx-1.4.7-1.mbs2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-03-17T23:01:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0133"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120529", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120529", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2014-308)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120529\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:28:41 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2014-308)\");\n script_tag(name:\"insight\", value:\"Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request.\");\n script_tag(name:\"solution\", value:\"Run yum update nginx to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-308.html\");\n script_cve_id(\"CVE-2014-0133\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"nginx-debuginfo\", rpm:\"nginx-debuginfo~1.4.7~1.17.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nginx\", rpm:\"nginx~1.4.7~1.17.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0133"], "description": "Gentoo Linux Local Security Checks GLSA 201406-20", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121223", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121223", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201406-20", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201406-20.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121223\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:27:25 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201406-20\");\n script_tag(name:\"insight\", value:\"A bug in the SPDY implementation in nginx was found which might cause a heap memory buffer overflow in a worker process by using a specially crafted request. The SPDY implementation is not enabled in default configurations.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201406-20\");\n script_cve_id(\"CVE-2014-0133\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201406-20\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"www-servers/nginx\", unaffected: make_list(\"ge 1.4.7\"), vulnerable: make_list(\"lt 1.4.7\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2018-08-31T00:39:12", "bounty": 3000.0, "description": "A bug in the experimental SPDY implementation in nginx was found, which might allow an attacker to cause a heap memory buffer overflow in a worker process by using a specially crafted request, potentially resulting in arbitrary code execution (CVE-2014-0133).\n\nThe problem affects nginx 1.3.15 - 1.5.11, compiled with the ngx_http_spdy_module module (which is not compiled by default) and without --with-debug configure option, if the \"spdy\" option of the \"listen\" directive is used in a configuration file.\n\nThe problem is fixed in nginx 1.5.12, 1.4.7.\n\nPatch for the problem can be found here:\n\nhttp://nginx.org/download/patch.2014.spdy2.txt\n\nThanks to Lucas Molas, researcher at Programa STIC, Fundaci\u00f3n Dr. Manuel Sadosky, Buenos Aires, Argentina.\n", "edition": 2, "published": "2014-03-24T21:54:37", "type": "hackerone", "title": "Nginx (IBB): SPDY heap buffer overflow", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2014-03-24T21:54:37", "id": "H1:4690", "href": "https://hackerone.com/reports/4690", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-19T17:34:09", "bounty": 50.0, "description": "Summary\n========\nDuring my reconnaissance for your bug bounty program, I discovered an instance of nginx version 1.4.6 running at the IP address https://54.153.101.52. To locate it, I search for IRCCloud-related certificated and found the self-signed certificate for this server (https://censys.io/ipv4/54.153.101.52). This version is in the range of nginx versions affected by the CVE, [CVE-2014-0133](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0133). There is a known exploit for this CVE. According to MITRE, this \"heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request.\"\n\n{F120380}\n\nHowever, to succeed, I believe that the exploit requires the ngx_http_spdy_module module (which is not compiled by default) and it requires no --with-debug configure option, if the \"spdy\" option of the \"listen\" directive is used in a configuration file. Because I am unable to check the configuration of your server, I wanted to inform you of this outdated version.\n\nChecking for Vulnerability Steps\n========\n1. Log into server located at 54.153.101.52\n2. Check the nginx configuration file. This should provide you with information as to whether or not it is vulnerable.\n\nMitigation\n========\nRegardless, this is a very outdated version of nginx that should likely be updated to the most recent version if you intend to keep if publicly-exposed. This would correct the vulnerability (if it is vulnerable). Alternatively, if you only want to correct the vulnerability, you can use the patch below:\n\n```\n--- src/http/ngx_http_spdy.c\n+++ src/http/ngx_http_spdy.c\n@@ -1849,7 +1849,7 @@ static u_char *\n ngx_http_spdy_state_save(ngx_http_spdy_connection_t *sc,\n u_char *pos, u_char *end, ngx_http_spdy_handler_pt handler)\n {\n-#if (NGX_DEBUG)\n+#if 1\n if (end - pos > NGX_SPDY_STATE_BUFFER_SIZE) {\n ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0,\n \"spdy state buffer overflow: \"\n```\nSource: https://nginx.org/download/patch.2014.spdy2.txt\n\nBest,\n@n0rb3r7\n", "edition": 2, "published": "2016-09-15T04:08:05", "type": "hackerone", "title": "IRCCloud: Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2016-10-15T10:41:25", "id": "H1:168485", "href": "https://hackerone.com/reports/168485", "cvss": {"score": 0.0, "vector": "NONE"}}], "freebsd": [{"lastseen": "2021-07-28T14:48:18", "description": "\nThe nginx project reports:\n\nA bug in the experimental SPDY implementation in nginx was found, which\n\t might allow an attacker to cause a heap memory buffer overflow in a\n\t worker process by using a specially crafted request, potentially\n\t resulting in arbitrary code execution (CVE-2014-0133).\nThe problem affects nginx 1.3.15 - 1.5.11, compiled with the\n\t ngx_http_spdy_module module (which is not compiled by default) and\n\t without --with-debug configure option, if the \"spdy\" option of the\n\t \"listen\" directive is used in a configuration file.\nThe problem is fixed in nginx 1.5.12, 1.4.7.\n\n", "edition": 6, "cvss3": {}, "published": "2014-03-18T00:00:00", "title": "nginx-devel -- SPDY heap buffer overflow", "type": "freebsd", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2014-03-18T00:00:00", "id": "DA4B89AD-B28F-11E3-99CA-F0DEF16C5C1B", "href": "https://vuxml.freebsd.org/freebsd/da4b89ad-b28f-11e3-99ca-f0def16c5c1b.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:29", "edition": 2, "description": "### Background\n\nnginx is a robust, small, and high performance HTTP and reverse proxy server. \n\n### Description\n\nA bug in the SPDY implementation in nginx was found which might cause a heap memory buffer overflow in a worker process by using a specially crafted request. The SPDY implementation is not enabled in default configurations. \n\n### Impact\n\nA remote attacker could cause execution of arbitrary code by using a specially crafted request. \n\n### Workaround\n\nDisable the spdy module in NGINX_MODULES_HTTP. \n\n### Resolution\n\nAll nginx users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/nginx-1.4.7\"", "published": "2014-06-22T00:00:00", "type": "gentoo", "title": "nginx: Arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2014-06-22T00:00:00", "id": "GLSA-201406-20", "href": "https://security.gentoo.org/glsa/201406-20", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "amazon": [{"lastseen": "2021-07-25T19:31:59", "description": "**Issue Overview:**\n\nHeap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request. \n\n \n**Affected Packages:** \n\n\nnginx\n\n \n**Issue Correction:** \nRun _yum update nginx_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 nginx-debuginfo-1.4.7-1.17.amzn1.i686 \n \u00a0\u00a0\u00a0 nginx-1.4.7-1.17.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 nginx-1.4.7-1.17.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 nginx-debuginfo-1.4.7-1.17.amzn1.x86_64 \n \u00a0\u00a0\u00a0 nginx-1.4.7-1.17.amzn1.x86_64 \n \n \n", "edition": 2, "published": "2014-03-24T23:32:00", "type": "amazon", "title": "Important: nginx", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2014-09-17T22:53:00", "id": "ALAS-2014-308", "href": "https://alas.aws.amazon.com/ALAS-2014-308.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nginx": [{"lastseen": "2021-07-28T14:33:04", "edition": 6, "description": "SPDY heap buffer overflow\nSeverity: major\nCVE-2014-0133\nNot vulnerable: 1.5.12+, 1.4.7+\nVulnerable: 1.3.15-1.5.11", "cvss3": {}, "published": "2014-03-28T15:55:00", "type": "nginx", "title": "SPDY heap buffer overflow", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133"], "modified": "2014-03-28T15:55:00", "id": "NGINX:CVE-2014-0133", "href": "http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T17:33:39", "description": "CVE ID:CVE-2014-0133\r\n\r\nNginx\u662fHTTP\u53ca\u53cd\u5411\u4ee3\u7406\u670d\u52a1\u5668\uff0c\u540c\u65f6\u4e5f\u7528\u4f5c\u90ae\u4ef6\u4ee3\u7406\u670d\u52a1\u5668\uff0c\u7531Igor Sysoev\u7f16\u5199\u3002\r\n\r\nnginx SPDY\u5b9e\u73b0\u5b58\u5728\u57fa\u4e8e\u5806\u7684\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\u4f7f\u5e94\u7528\u7a0b\u5e8f\u5d29\u6e83\u6216\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n0\nnginx 1.3.15\r\nnginx 1.5.x\nnginx 1.5.12, 1.4.7\u7248\u672c\u5df2\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.manageengine.com/products/opstor/", "published": "2014-04-01T00:00:00", "type": "seebug", "title": "Nginx SPDY\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0133"], "modified": "2014-04-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-62014", "id": "SSV:62014", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "kitploit": [{"lastseen": "2021-07-28T14:37:03", "description": " \n\n\n[  ](<https://1.bp.blogspot.com/-e3DIGymt-0Y/WbFs8bRpiRI/AAAAAAAAIxE/-2FNHk9ApEUmOlNr6p1yG7AIjuAt3Z4AgCLcBGAs/s1600/Vision2.png>)\n\n \nNmap's XML result parse and NVD's CPE correlation to search CVE. You can use that to find public [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities>) in services... \n \n\n \n \n Nmap\\s XML result parser and NVD's CPE correlation to search CVE\n \n Example:\n python vision2.py -f result_scan.xml -l 3 -o txt\n \n Coded by Mthbernades and CoolerVoid\n \n - https://github.com/mthbernardes\n - https://github.com/CoolerVoid\n \n usage: vision2.py [-h] -f NMAPFILE [-l LIMIT] [-o OUTPUT]\n vision2.py: error: argument -f/--nmap-file is required\n\n \n** Example of results: ** \n\n \n \n $ python Vision-cpe.py -f result_scan.xml -l 3 -o txt\n \n ::::: Vision v0.1 - nmap NVD's cpe correlation - Coded by CoolerVoid\n Host: 127.0.0.1\n Port: 53\n cpe:/a:isc:bind:9.8.1:p1\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2016-9131\n Description: named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed response to an RTYPE ANY query.\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2016-8864\n Description: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c.\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2016-2848\n Description: ISC BIND 9.1.0 through 9.8.4-P2 and 9.9.0 through 9.9.2-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via malformed options data in an OPT resource record.\n ::::: Vision v0.1 - nmap NVD's cpe correlation - Coded by CoolerVoid\n \n Host: 127.0.0.1\n Port: 22\n cpe:/o:linux:linux_kernel\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2017-14156\n Description: The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in the Linux kernel through 4.12.10 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading locations associated with padding bytes.\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2017-14140\n Description: The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR.\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2017-14106\n Description: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path.\n \n \n ::::: Vision v0.1 - nmap NVD's cpe correlation - Coded by CoolerVoid\n \n Host: 127.0.0.1\n Port: 53\n cpe:/a:isc:bind:none\n \n \n ::::: Vision v0.1 - nmap NVD's cpe correlation - Coded by CoolerVoid\n \n Host: 127.0.0.1\n Port: 80\n cpe:/a:igor_sysoev:nginx:1.4.1\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2014-0133\n Description: Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request.\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2013-4547\n Description: nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.\n \n \n ::::: Vision v0.1 - nmap NVD's cpe correlation - Coded by CoolerVoid\n \n Host: 127.0.0.1\n Port: 465\n cpe:/a:postfix:postfix\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2012-0811\n Description: Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files generated by backup.php.\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2011-1720\n Description: The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication methods are enabled, does not create a new server handle after client authentication fails, which allows remote attackers to cause a denial of service (heap memory corruption and daemon crash) or possibly execute arbitrary code via an invalid AUTH command with one method followed by an AUTH command with a different method.\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2011-0411\n Description: The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a \"plaintext command injection\" attack.\n \n \n ::::: Vision v0.1 - nmap NVD's cpe correlation - Coded by CoolerVoid\n \n Host: 127.0.0.1\n Port: 8443\n cpe:/a:lighttpd:lighttpd\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2015-3200\n Description: mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2014-2324\n Description: Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname.\n \n URL: https://nvd.nist.gov/vuln/detail/CVE-2014-2323\n Description: SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.\n \n \n ...\n \n\n \n** Common questions: ** \n \n** How to write XML output on [ Nmap ](<https://www.kitploit.com/search/label/Nmap>) ? ** \n[ https://nmap.org/book/output-formats-xml-output.html ](<https://nmap.org/book/output-formats-xml-output.html>) \n \n** What is a CPE ? ** \n[ https://nmap.org/book/output-formats-cpe.html ](<https://nmap.org/book/output-formats-cpe.html>) \n[ https://nvd.nist.gov/products/cpe ](<https://nvd.nist.gov/products/cpe>) \n \n** What is a CVE ? ** \n[ https://cve.mitre.org/ ](<https://cve.mitre.org/>) \n \n \n\n\n** [ Download Vision2 ](<https://github.com/CoolerVoid/Vision2>) **\n", "edition": 33, "cvss3": {}, "published": "2017-09-10T16:38:09", "title": "Vision2 - Nmap's XML result parse and NVD's CPE correlation to search CVE", "type": "kitploit", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0133", "CVE-2014-2323", "CVE-2011-1720", "CVE-2016-8864", "CVE-2016-2848", "CVE-2017-14106", "CVE-2017-14140", "CVE-2013-4547", "CVE-2014-2324", "CVE-2016-9131", "CVE-2015-3200", "CVE-2017-14156", "CVE-2012-0811", "CVE-2011-0411"], "modified": "2017-09-10T16:38:09", "id": "KITPLOIT:1420567869239222035", "href": "http://www.kitploit.com/2017/09/vision2-nmaps-xml-result-parse-and-nvds.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
