OESA-2024-2086 nginx security update

NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Security Fixes: NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module, which might allow an attacker to over-read NGINX worker memory resulting in its...

OESA-2024-2088 nginx security update

NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Security Fixes: NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module, which might allow an attacker to over-read NGINX worker memory resulting in its...

OESA-2024-2087 nginx security update

NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Security Fixes: NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module, which might allow an attacker to over-read NGINX worker memory resulting in its...

Nginx 1.5.13 < 1.26.2 Buffer Over-read

According to its Server response header, the installed version of nginx is 1.5.13 to 1.26.2 or 1.27.0. It is, therefore, affected by a security issue was identified in the ngxhttpmp4module, which might allow an attacker to cause a worker process crash by using a specially crafted mp4 file...

Nginx 1.27.0 Buffer Over-read

According to its Server response header, the installed version of nginx is 1.5.13 to 1.26.2 or 1.27.0. It is, therefore, affected by a security issue was identified in the ngxhttpmp4module, which might allow an attacker to cause a worker process crash by using a specially crafted mp4 file...

Nginx 1.25.x < 1.26.1 Multiple Vulnerabilities

According to its Server response header, the installed version of nginx is 1.25.x prior to 1.26.1. It is, therefore, affected by four security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session to cause a worker process...

Kubernetes: Injection in path parameter of Ingress-nginx

A vulnerability was discovered in the Ingress-nginx controller where an attacker could inject arbitrary content into the path parameter of an Ingress. This allowed the attacker to upload a malicious nginx configuration file to the ingress controller's file system and then include that file in a...

Medium: nginx

Issue Overview: NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngxhttpmp4module and...

Medium: nginx

Issue Overview: NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngxhttpmp4module and...

Medium: nginx

Issue Overview: NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngxhttpmp4module and...

GHSA-JFVP-7X6P-H2PV vulnerabilities

Vulnerabilities for packages: buildah, neuvector-scanner, podman, kubernetes, opentelemetry-collector-contrib, k3s, grype, docker, grafana-alloy, runc, cadvisor, k8s-device-plugin, ctop, syft...

CVE-2024-45310 vulnerabilities

Vulnerabilities for packages: neuvector-fips, podman, grafana-alloy-fips, neuvector-scanner-fips, ingress-nginx-controller-fips, k3s, neuvector-scanner, node-feature-discovery, runc, ingress-nginx-controller, syft, ctop, opentelemetry-collector-contrib-fips, cluster-autoscaler, buildah,...

CVE-2024-45310 vulnerabilities

Vulnerabilities for packages: buildah, neuvector-scanner, podman, kubernetes, opentelemetry-collector-contrib, k3s, grype, docker, grafana-alloy, runc, cadvisor, k8s-device-plugin, ctop, syft...

CVE-2024-7347 affecting package nginx for versions less than 1.22.1-12

CVE-2024-7347 affecting package nginx for versions less than 1.22.1-12. A patched version of the package is available...

Nginx HTTP API Module Unrestricted Access

Nginx HTTP API Module provide a REST API for accessing various status information, configuring upstream server groups on-the-fly, and managing key-value pairs without the need of reconfiguring nginx. If these endpoints are accessible to an attacker, he can modify the configuration in place and, i...

Nginx+ Dashboard Unrestricted Access

Nginx Plus is a proprietary solution from F5 built on top of Nginx and featuring a dashboard called "Live Activity Monitoring". When accessible without authentication it may contain sensitives information that can be used by an attacker. No source data...

The vulnerability of the ngx_http_v4_module in NGINX Plus and NGINX OSS web servers, related to reading data from outside of memory, allows attackers to cause service interruptions.

The vulnerability of the ngxhttpv4module in NGINX Plus and NGINX OSS web servers is related to reading data from outside of the memory boundaries. Exploiting this vulnerability can allow attackers to cause service failures...

Nginx Source Code Disclosure/Download

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Nginx Source Code Disclosure/Download', 'Description' = %q This module exploits a source code disclosure/download vulnerability in versions 0.7 a...

Improper Input Validation

Ingress-nginx is vulnerable to Improper Input Validation. The vulnerability is due to improper annotation validation, allowing an actor with permission to create Ingress objects to inject arbitrary commands and obtain the credentials of the ingress-nginx controller...

OESA-2024-2065 nginx security update

NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Security Fixes: NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module, which might allow an attacker to over-read NGINX worker memory resulting in its...