Nginx Security Vulnerabilities and Issues — Nginx CVE List

Lucene search

F5Nginx

10 matches found

CVE•added 2020/01/09 9:15 p.m.•3979 views

CVE-2019-20372

NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.

5.3CVSS5.2AI score0.71473EPSS

CVE•added 2009/11/09 5:30 p.m.•1196 views

CVE-2009-3555

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple ...

5.8CVSS6AI score0.03226EPSS

Web

CVE•added 2013/07/20 3:37 a.m.•514 views

CVE-2013-2070

http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a si...

5.8CVSS6.2AI score0.92597EPSS

Web

CVE•added 2016/02/15 7:59 p.m.•241 views

CVE-2016-0747

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.

5.3CVSS6.8AI score0.21441EPSS

CVE•added 2009/11/24 5:30 p.m.•155 views

CVE-2009-3896

src/http/ngx_http_parse.c in nginx (aka Engine X) 0.1.0 through 0.4.14, 0.5.x before 0.5.38, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.14 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a long URI.

5CVSS6.1AI score0.02959EPSS

CVE•added 2019/11/19 4:15 p.m.•118 views

CVE-2011-4968

nginx http proxy module does not verify peer identity of https origin server which could facilitate man-in-the-middle attack (MITM)

5.8CVSS5AI score0.00621EPSS

CVE•added 2012/07/26 7:55 p.m.•115 views

CVE-2011-4963

nginx/Windows 1.3.x before 1.3.1 and 1.2.x before 1.2.1 allows remote attackers to bypass intended access restrictions and access restricted files via (1) a trailing . (dot) or (2) certain "$index_allocation" sequences in a request.

5CVSS6.6AI score0.00589EPSS

CVE•added 2012/04/17 9:55 p.m.•102 views

CVE-2012-1180

Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request.

5CVSS5.7AI score0.0199EPSS

CVE•added 2010/06/15 2:4 p.m.•100 views

CVE-2010-2263

nginx 0.8 before 0.8.40 and 0.7 before 0.7.66, when running on Windows, allows remote attackers to obtain source code or unparsed content of arbitrary files under the web document root by appending ::$DATA to the URI.

5CVSS7AI score0.59269EPSS

Web

CVE•added 2010/06/15 2:4 p.m.•82 views

CVE-2010-2266

nginx 0.8.36 allows remote attackers to cause a denial of service (crash) via certain encoded directory traversal sequences that trigger memory corruption, as demonstrated using the "%c0.%c0." sequence.

5CVSS7.2AI score0.1017EPSS