Nginx Security Vulnerabilities and Issues — Nginx CVE List

Lucene search

F5Nginx

10 matches found

CVE•added 2020/01/09 9:15 p.m.•3947 views

CVE-2019-20372

NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.

5.3CVSS5.2AI score0.69537EPSS

CVE•added 2009/11/09 5:30 p.m.•1166 views

CVE-2009-3555

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple ...

5.8CVSS6AI score0.04134EPSS

CVE•added 2013/07/20 3:37 a.m.•513 views

CVE-2013-2070

http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a si...

5.8CVSS6.2AI score0.92242EPSS

CVE•added 2016/02/15 7:59 p.m.•236 views

CVE-2016-0747

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.

5.3CVSS6.8AI score0.277EPSS

CVE•added 2009/11/24 5:30 p.m.•151 views

CVE-2009-3896

src/http/ngx_http_parse.c in nginx (aka Engine X) 0.1.0 through 0.4.14, 0.5.x before 0.5.38, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.14 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a long URI.

5CVSS6.1AI score0.02427EPSS

CVE•added 2019/11/19 4:15 p.m.•116 views

CVE-2011-4968

nginx http proxy module does not verify peer identity of https origin server which could facilitate man-in-the-middle attack (MITM)

5.8CVSS5AI score0.00265EPSS

CVE•added 2012/07/26 7:55 p.m.•113 views

CVE-2011-4963

nginx/Windows 1.3.x before 1.3.1 and 1.2.x before 1.2.1 allows remote attackers to bypass intended access restrictions and access restricted files via (1) a trailing . (dot) or (2) certain "$index_allocation" sequences in a request.

5CVSS6.6AI score0.00382EPSS

CVE•added 2012/04/17 9:55 p.m.•100 views

CVE-2012-1180

Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request.

5CVSS5.7AI score0.01975EPSS

CVE•added 2010/06/15 2:4 p.m.•99 views

CVE-2010-2263

nginx 0.8 before 0.8.40 and 0.7 before 0.7.66, when running on Windows, allows remote attackers to obtain source code or unparsed content of arbitrary files under the web document root by appending ::$DATA to the URI.

5CVSS7AI score0.44217EPSS

CVE•added 2010/06/15 2:4 p.m.•81 views

CVE-2010-2266

nginx 0.8.36 allows remote attackers to cause a denial of service (crash) via certain encoded directory traversal sequences that trigger memory corruption, as demonstrated using the "%c0.%c0." sequence.

5CVSS7.2AI score0.06781EPSS