Gentoo FoundationGLSA-200909-18nginx: Remote execution of arbitrary code
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.938 High
EPSS
Percentile
99.1%
Background
nginx is a robust, small and high performance HTTP and reverse proxy server.
Description
Chris Ries reported a heap-based buffer underflow in the ngx_http_parse_complex_uri() function in http/ngx_http_parse.c when parsing the request URI.
Impact
A remote attacker might send a specially crafted request URI to a nginx server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the server, or a Denial of Service. NOTE: By default, nginx runs as the βnginxβ user.
Workaround
There is no known workaround at this time.
Resolution
All nginx 0.5.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/nginx-0.5.38"
All nginx 0.6.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/nginx-0.6.39"
All nginx 0.7.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/nginx-0.7.62"
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Gentoo | any | all | www-servers/nginx | <Β 0.7.62 | UNKNOWN |
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.938 High
EPSS
Percentile
99.1%