Lucene search
K
F5Nginx

41 matches found

CVE
CVE
added 2021/06/01 12:28 p.m.6301 views

CVE-2021-23017

CVE-2021-23017 affects nginx's resolver. A security issue arises from an off-by-one in ngx_resolver_copy when DNS labels are followed by a root-domain pointer, allowing a crafted UDP response to overwrite the least significant byte of the next heap chunk metadata. This can lead to a worker proces...

7.7CVSS6.3AI score0.52838EPSS
CVE
CVE
added 2019/08/13 8:50 p.m.5798 views

CVE-2019-9513

CVE-2019-9513 (and related HTTP/2 CVEs) affect nginx and nghttp2. The issues enable denial of service via HTTP/2 resource loops and priority/window manipulation, causing high CPU/memory usage. nginx 1.16.x and nghttp2 are specifically named in advisories; remediation is upgrading to fixed package...

7.8CVSS7.7AI score0.82017EPSS
CVE
CVE
added 2023/10/10 12:0 a.m.5301 views

CVE-2023-44487

CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...

7.5CVSS8AI score0.99999EPSS
In wild
CVE
CVE
added 2018/11/07 2:0 p.m.5270 views

CVE-2018-16843

CVE-2018-16843 affects nginx before 1.15.6 and 1.14.1, where HTTP/2 implementation vulnerabilities in ngx_http_v2_module (if http2 is enabled) can cause excessive memory usage. Connected advisories also reference related CVEs (16844/16845) and show multiple distributions (Debian, Fedora/Red Hat, ...

7.8CVSS7.3AI score0.47057EPSS
CVE
CVE
added 2018/11/07 2:0 p.m.5121 views

CVE-2018-16844

CVE-2018-16844 affects nginx before versions 1.15.6 and 1.14.1 where HTTP/2 implementation can cause excessive CPU usage when nginx is built with the ngx_http_v2_module and the listen directive uses http2. The issue is triggered by HTTP/2 handling and is report-backed across multiple providers (D...

7.8CVSS7.3AI score0.124EPSS
CVE
CVE
added 2018/11/07 2:0 p.m.4523 views

CVE-2018-16845

The CVE-2018-16845 issue affects nginx builds that include the ngx_http_mp4_module and the mp4 directive. Vulnerable are nginx versions earlier than 1.15.6 and 1.14.1 (when built with the module). The vulnerability arises from processing a specially crafted MP4 file, which could cause an infinite...

8.2CVSS6.4AI score0.09801EPSS
CVE
CVE
added 2020/01/09 8:5 p.m.4469 views

CVE-2019-20372

NGINX (on Amazon Linux 2) is affected by CVE-2019-20372 when configured with certain error_page settings, enabling HTTP request smuggling. The Amazon Linux 2 ALAS advisory ALAS2NGINX1-2023-004 confirms vulnerable 1.17.x/older configurations and provides patched packages: nginx 1.18.0 and related ...

5.3CVSS5.2AI score0.14961EPSS
CVE
CVE
added 2019/08/13 8:50 p.m.3861 views

CVE-2019-9511

CVE-2019-9511 is an HTTP/2 denial-of-service issue observed in multiple products where an attacker manipulates HTTP/2 window size and stream prioritization to force queuing of data in 1-byte chunks, potentially exhausting CPU/memory. Connected advisories confirm affected components include nginx ...

7.8CVSS6.8AI score0.58373EPSS
CVE
CVE
added 2022/03/23 12:0 a.m.3620 views

CVE-2021-3618

ALPACA (CVE-2021-3618) is an application-layer protocol content confusion attack affecting multiple assets (e.g., nginx, vsftpd, sendmail) where TLS servers configured for different protocols with compatible certificates can allow a MITM attacker to redirect subdomain traffic to another, potentia...

7.4CVSS7.5AI score0.02037EPSS
CVE
CVE
added 2019/08/13 8:50 p.m.3070 views

CVE-2019-9516

CVE-2019-9516 is an HTTP/2 header leak vulnerability affecting nginx and several Linux distributions. The issue occurs when an attacker sends streams with 0-length header names and values (optionally Huffman encoded), causing nginx to allocate memory for headers that may be kept until the session...

7.5CVSS7.3AI score0.56262EPSS
CVE
CVE
added 2017/07/13 1:0 p.m.1996 views

CVE-2017-7529

The CVE-2017-7529 entry concerns nginx’s range filter module. Affected software: nginx (and nginx-mainline in Arch advisories). Vulnerable component: the HTTP range/filter logic within nginx range filter/module. Root cause: integer overflow when processing crafted byte ranges, leading to informat...

7.5CVSS7.3AI score0.62597EPSS
CVE
CVE
added 2022/10/19 9:20 p.m.1655 views

CVE-2022-41741

Summary (CVE-2022-41741) : NGINX Open Source before 1.23.2 and 1.22.1, NGINX Open Source Subscription before R2 P1/R1 P1, and NGINX Plus before R27 P1/R26 P1, that are built with the ngx_http_mp4_module and have the mp4 directive enabled, are vulnerable to local memory corruption in the module. A...

7.8CVSS7.1AI score0.00756EPSS
CVE
CVE
added 2025/02/05 5:31 p.m.1382 views

CVE-2025-23419

CVE-2025-23419 affects nginx where multiple server blocks share an IP/port and an attacker can reuse TLS session tickets or the SSL session cache to bypass client certificate authentication on the default server. The issue stems from how session resumption is handled when the default server perfo...

5.3CVSS4.8AI score0.02646EPSS
CVE
CVE
added 2016/02/15 7:0 p.m.1351 views

CVE-2016-0746

CVE-2016-0746 is a use-after-free in nginx’s resolver when processing DNS CNAME responses. The issue affects nginx versions before 1.8.1 and 1.9.x before 1.9.10; exploitation could crash worker processes or yield other unspecified impacts. Remediation per connected docs: upgrade to non‑vulnerable...

9.8CVSS9.5AI score0.08625EPSS
CVE
CVE
added 2009/11/09 5:0 p.m.1308 views

CVE-2009-3555

CVE-2009-3555 concerns a TLS/SSL renegotiation flaw where renegotiation handshakes were not properly associated with the existing connection, enabling MITM data insertion in HTTPS and other TLS/SSL sessions (Project Mogul). Connected advisories show concrete mitigations and affected software: Pou...

9.8CVSS6AI score0.87264EPSS
CVE
CVE
added 2022/10/19 9:20 p.m.779 views

CVE-2022-41742

CVE-2022-41742 affects NGINX ngx_http_mp4_module when mp4 is enabled; a crafted MP4 file can cause local memory disclosure or worker crashes. Affected: NGINX Open Source before 1.23.2 and 1.22.1, NGINX Open Source Subscription before R2 P1/R1 P1, and NGINX Plus before R27 P1/R26 P1. Root cause: p...

7.1CVSS7AI score0.01069EPSS
CVE
CVE
added 2021/06/06 9:4 p.m.604 views

CVE-2017-20005

CVE-2017-20005 affects NGINX before 1.13.6. It is a buffer overflow in the autoindex module triggered by modification dates with years exceeding four digits (e.g., 1969 or far-future dates), caused by integer overflow. The CVSSv3.1 vector and score indicate CRITICAL severity. Remediation per sour...

9.8CVSS9.5AI score0.03285EPSS
CVE
CVE
added 2013/07/18 1:0 a.m.556 views

CVE-2013-2070

The CVE concerns nginx proxying behavior and chunked transfer handling. Affected product: nginx with the proxy module/http parsing paths noted in CVE-2013-2070 (versions 1.1.4–1.2.8 and 1.3.0–1.4.0) when proxy_pass is used to untrusted upstream HTTP servers. Root cause: crafted proxy responses ca...

5.8CVSS6.2AI score0.11925EPSS
Web
CVE
CVE
added 2013/07/18 1:0 a.m.496 views

CVE-2013-2028

The CVE-2013-2028 issue affects nginx 1.3.9–1.4.0, where the ngx_http_parse_chunked function mishandles large chunk sizes in chunked Transfer-Encoding. The root cause is an integer signedness error that leads to a stack-based buffer overflow, enabling remote denial of service and potential code e...

7.5CVSS7.5AI score0.87475EPSS
CVE
CVE
added 2013/11/23 6:0 p.m.435 views

CVE-2013-4547

CVE-2013-4547 affects nginx versions 0.8.41–1.4.3 and 1.5.x prior to 1.5.7. Root cause: an unescaped space character in a URI can bypass intended restrictions, enabling remote bypass of access controls as described in the entry. Impact: restriction bypass is possible; exploitation and mitigation ...

7.5CVSS9.2AI score0.67718EPSS
CVE
CVE
added 2016/11/29 5:0 p.m.424 views

CVE-2016-1247

CVE-2016-1247 affects nginx products (Debian, Ubuntu, Gentoo) where older nginx binaries (e.g., Debian jessie <1.6.2-5+deb8u3; Ubuntu 14.04/16.04/16.10 < listed versions; Gentoo ebuild = 1.10.2 on Gentoo, 1.10.2-3 on Arch, newer upstream branches). An in-wild PoC exploit exists (logrotate-b...

7.8CVSS7.5AI score0.04863EPSS
CVE
CVE
added 2016/06/07 2:0 p.m.409 views

CVE-2016-4450

CVE-2016-4450 – nginx denial of service via NULL pointer dereference . Affects nginx before 1.10.1 and 1.11.x before 1.11.1 when saving the client request body to a temporary file. A crafted request can crash a worker process, causing DoS. The underlying issue is a NULL pointer dereference in cod...

7.5CVSS7AI score0.16376EPSS
CVE
CVE
added 2014/03/28 3:0 p.m.372 views

CVE-2014-0133

CVE-2014-0133 describes a heap-based buffer overflow in the SPDY implementation of nginx. The vulnerability affects nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12, where crafted requests can cause a remote code execution. The root cause is in the SPDY module (ngx_http_spdy_module) handling use...

7.5CVSS9.5AI score0.09293EPSS
CVE
CVE
added 2009/09/15 10:0 p.m.322 views

CVE-2009-2629

CVE-2009-2629 affects the nginx HTTP server, originating from a buffer underflow in ngx_http_parse.c used when processing request URIs. Public sources in the provided documents specify that versions 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 are vulner...

7.5CVSS7.3AI score0.75079EPSS
CVE
CVE
added 2016/02/15 7:0 p.m.293 views

CVE-2016-0742

The CVE-2016-0742 issue affects nginx resolver prior to 1.8.1 and 1.9.x prior to 1.9.10. A crafted UDP DNS response can trigger an invalid pointer dereference, crashing a worker process and causing a denial of service. Affected component: resolver in nginx; root cause: dereference of invalid poin...

7.5CVSS7.8AI score0.81958EPSS
CVE
CVE
added 2013/10/27 12:0 a.m.292 views

CVE-2013-0337

CVE-2013-0337 affects nginx (likely 1.3.13 and earlier) where the default config leaves (1) access.log and (2) error.log world‑readable. This permits local users to read logs and disclose sensitive information. The root cause is insecure log file permissions in the default nginx configuration. Re...

7.5CVSS5.7AI score0.01906EPSS
CVE
CVE
added 2016/02/15 7:0 p.m.262 views

CVE-2016-0747

The CVE-2016-0747 entry affects nginx rescanner behavior: the resolver in nginx (versions prior to 1.8.1 and 1.9.x prior to 1.9.10) does not properly limit CNAME resolution, allowing remote attackers to cause denial of service via excessive name-resolution work. Public details across multiple sou...

5.3CVSS6.8AI score0.08433EPSS
CVE
CVE
added 2010/01/13 8:0 p.m.222 views

CVE-2009-4487

The CVE-2009-4487 issue affects nginx 0.7.64, where non-printable characters logged during HTTP requests can be exploited to alter a window title or potentially execute commands/overwrite files.根 The connected records confirm the vulnerability is real for nginx 0.7.64 and indicate remediation via...

6.8CVSS7.7AI score0.27008EPSS
CVE
CVE
added 2014/12/08 11:0 a.m.217 views

CVE-2014-3616

CVE-2014-3616 affects nginx versions 0.5.6 through 1.7.4. The root cause is reuse of a shared SSL session cache or SSL session_ticket_key for multiple servers, allowing a remote attacker with sufficient privileges to perform a virtual host confusion by reusing a cached SSL session in an unrelated...

4.3CVSS6.4AI score0.05654EPSS
CVE
CVE
added 2009/11/24 5:0 p.m.191 views

CVE-2009-3898

The CVE-2009-3898 issue affects nginx (Engine X) in the WebDAV module (src/http/modules/ngx_http_dav_module.c). A directory traversal flaw via the Destination header in COPY or MOVE can allow remote authenticated users to create or overwrite arbitrary files. Affected versions are nginx before 0.7...

4.9CVSS6.1AI score0.15887EPSS
CVE
CVE
added 2009/11/24 5:0 p.m.179 views

CVE-2009-3896

CVE-2009-3896 affects nginx and its parsing path: the ngx_http_process_request_headers() function in ngx_http_parse.c can dereference a NULL pointer when handling long URIs, leading to denial of service via worker crash. The cited public sources (e.g., GLSA 201203-22) document multiple nginx vuln...

5CVSS6.1AI score0.10181EPSS
CVE
CVE
added 2010/12/06 9:0 p.m.160 views

CVE-2010-4180

OpenSSL vulnerability CVE-2010-4180 affects OpenSSL versions before 0.9.8q and 1.0.x before 1.0.0c when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled. The flaw allows remote attackers to modify the ciphersuite in the session cache, enabling a downgrade to an unintended cipher by sniffing net...

4.3CVSS6.6AI score0.09497EPSS
CVE
CVE
added 2019/11/19 3:18 p.m.140 views

CVE-2011-4968

CVE-2011-4968 concerns the nginx http proxy module failing to verify the peer identity of the HTTPS origin server, enabling potential MITM attacks. The vulnerability is described as an information-security issue in the nginx proxy component where TLS peer verification is not performed for upstrea...

5.8CVSS5AI score0.03989EPSS
CVE
CVE
added 2012/07/26 7:0 p.m.130 views

CVE-2011-4963

CVE-2011-4963 affects nginx on Windows: vulnerable in 1.3.x before 1.3.1 and 1.2.x before 1.2.1, where specially crafted requests can bypass access restrictions and reach restricted files using a trailing dot or certain "$index_allocation" sequences. Red Hat/OpenVAS/NVD entries corroborate the Wi...

5CVSS6.6AI score0.05959EPSS
CVE
CVE
added 2012/04/17 9:0 p.m.123 views

CVE-2012-1180

CVE-2012-1180 affects nginx older branches: use-after-free in memory handling allows a remote HTTP server to obtain sensitive information from process memory via a crafted backend response in conjunction with a client request. Affected: nginx before 1.0.14 and 1.1.x before 1.1.17. Impact details ...

5CVSS5.7AI score0.10417EPSS
CVE
CVE
added 2010/06/14 6:0 p.m.122 views

CVE-2010-2263

CVE-2010-2263 is an information-disclosure vulnerability in nginx where, on Windows, an attacker can obtain source code or unparsed files from the web root by appending ::$DATA to the URI. Affected: nginx 0.7.x before 0.7.66 and 0.8.x before 0.8.40. The issue is fixed in 0.7.66 and 0.8.40 release...

5CVSS7AI score0.71926EPSS
CVE
CVE
added 2014/12/29 8:0 p.m.114 views

CVE-2014-3556

The CVE-2014-3556 entry affects nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4. The STARTTLS implementation in mail/ngx_mail_smtp_handler.c allows an MITM to inject commands into encrypted SMTP sessions by sending a cleartext command after TLS is established, due to insufficient I/O bu...

6.8CVSS6.8AI score0.07832EPSS
CVE
CVE
added 2011/12/08 8:0 p.m.112 views

CVE-2011-4315

CVE-2011-4315 describes a heap-based buffer overflow in nginx’s DNS resolver path (core/ngx_resolver.c) that can be triggered by compression-pointer processing. Affected: nginx versions prior to 1.0.10. Impact stated across sources: remote resolvers may cause a denial of service (daemon crash) an...

6.8CVSS7.6AI score0.0607EPSS
CVE
CVE
added 2012/04/17 9:0 p.m.111 views

CVE-2012-2089

The CVE-2012-2089 issue affects nginx and is caused by a buffer overflow in ngx_http_mp4_module.c when the mp4 directive is used. Affected versions are nginx 1.0.7–1.0.14 and 1.1.3–1.1.18, potentially leading to memory overwrite, denial of service, or remote code execution. Remediation in the con...

6.8CVSS7.9AI score0.09629EPSS
CVE
CVE
added 2014/04/29 2:0 p.m.103 views

CVE-2014-0088

The CVE-2014-0088 issue affects nginx 1.5.10, where the SPDY-enabled ngx_http_spdy_module on 32-bit platforms allows remote code execution via a crafted request. The root cause is memory corruption in the SPDY module, leading to arbitrary code execution when processing crafted inputs. The vulnera...

7.5CVSS7.5AI score0.08663EPSS
CVE
CVE
added 2010/06/14 6:0 p.m.101 views

CVE-2010-2266

Technical details about CVE-2010-2266 are not publicly provided in the connected documents. The available sources only reiterate the initial description; no affected versions, root cause, impact, or remediation are present.

5CVSS7.2AI score0.2151EPSS