Lucene search

K

GoogleOSV:CVE-2024-34161

HistoryMay 29, 2024 - 4:15 p.m.

CVE-2024-34161

2024-05-2916:15:10

Google

osv.dev

7

nginx

memory leak

quic

http/3

mtu

software

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.6

Confidence

High

EPSS

0

Percentile

15.5%

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.

References

www.openwall.com/lists/oss-security/2024/05/30/4

lists.fedoraproject.org/archives/list/[email protected]/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/

lists.fedoraproject.org/archives/list/[email protected]/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/

my.f5.com/manage/s/article/K000139627

security-tracker.debian.org/tracker/CVE-2024-34161

security.alpinelinux.org/vuln/CVE-2024-34161

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.6

Confidence

High

EPSS

0

Percentile

15.5%

Related for OSV:CVE-2024-34161

osv7 ubuntucve1 debiancve1 alpinelinux1 nginx1 cve1 redhatcve1 f52 wolfi1 vulnrichment1 cvelist1 nvd1 redos1 nessus6 fedora2 openvas3 freebsd1 ibm1 photon2