nginx:1.22 security update

An update is available for module.nginx, nginx. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list nginx is a web and proxy server supporting HTTP and other...

Rocky Linux 9 : nginx:1.22 (RLSA-2023:6120)

The remote Rocky Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2023:6120 advisory. - The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wil...

Important: Red Hat Enhancement Advisory: nginx:1.22 bug fix and enhancement update

An update for the nginx:1.22 module is now available for Red Hat Enterprise Linux 9. For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section...

BIT-NGINX-INGRESS-CONTROLLER-2022-30535

In versions 2.x before 2.3.0 and all versions of 1.x, An attacker authorized to create or update ingress objects can obtain the secrets available to the NGINX Ingress Controller. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

BIT-NGINX-INGRESS-CONTROLLER-2022-41741

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngxhttpmp4module that might allow a local attacker to corrupt NGINX worker memory, resulting in...

BIT-NGINX-INGRESS-CONTROLLER-2022-41742

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngxhttpmp4module that might allow a local attacker to cause a worker process crash, or might...

BIT-NGINX-INGRESS-CONTROLLER-2022-41743

NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngxhttphlsmodule that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or potential other impact using a specially crafted audio or video file. The issue affects only NGINX Plus when...

Rocky Linux 8 : nginx:1.14 (RLSA-2019:2799)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2019:2799 advisory. - Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of...

Rocky Linux 8 : nginx:1.20 (RLSA-2022:0323)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2022:0323 advisory. - A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory...

OESA-2023-1777 nginx security update

NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Security Fixes: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in...

Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition

GitLab has fixed vulnerabilities in GitLab Enterprise Edition EE and Community Edition CE. A malicious party could exploit vulnerabilities to bypass command measures, gain access to system data or cause a denial-of-service cause. Also included in this update are updates to several Third-party...

The vulnerability of the nginx.ingress.kubernetes.io/permanent-redirect controller in the Kubernetes ingress-nginx cluster allows a attacker to execute arbitrary commands.

The vulnerability of the nginx.ingress.kubernetes.io/permanent-redirect controller in the Kubernetes ingress-nginx cluster is related to errors in processing incoming data. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands...

The vulnerability of the ingress controller in the Kubernetes cluster ingress-nginx allows a hacker to execute arbitrary code or increase their privileges.

The vulnerability of the ingress controller in the Kubernetes cluster ingress-nginx is related to errors in processing incoming data. Exploiting this vulnerability allows a malicious actor to execute arbitrary code or increase their privileges using the logformat directive...

Puppet Enterprise < 2019.8.7 / 2021.x < 2021.2 Nginx Vulnerability

or more information about this vulnerability, refer to the security announcements for CVE-2021-23017 Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text in this plugi...

CLSA-2023-1698690146 nginx: Fix of CVE-2023-44487

CVE-2023-44487: HTTP/2 - per-iteration stream handling limit...

CLSA-2023-1698689944 nginx: Fix of CVE-2023-44487

CVE-2023-44487: HTTP/2 - per-iteration stream handling limit...

GHSA-FJHG-96CP-6FCW Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File

Description The laters version of Kimai is found to be vulnerable to a critical Server-Side Template Injection SSTI which can be escalated to Remote Code Execution RCE. The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML...

Urgent: New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes

Three unpatched high-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster. The vulnerabilities are as follows - CVE-2022-4886 CVSS score: 8.8 - Ingress-nginx path...

Arbitrary Code Execution

github.com/kubernetes/ingress-nginx is vulnerable to Arbitrary Code Execution. The vulnerability arises from the library's default lack of proper annotation validation. This deficiency enables an attacker to inject and execute malicious code through the...

Improper Access Control

github.com/kubernetes/ingress-nginx is vulnerable to Improper Access Control. The vulnerability exists because the library does not adequately validate path types. Consequently, an attacker with the ability to create or update ingress objects can utilize directives to evade the sanitization of th...