Buffer Overflow Vulnerability in NGINX Affects Multiple Versions
CVE-2017-20005

9.8CRITICAL

Key Information:

Vendor
F5
Status
Nginx
Vendor
CVE Published:
6 June 2021

Summary

NGINX prior to version 1.13.6 is susceptible to a buffer overflow vulnerability caused by improper handling of years exceeding four digits in the autoindex module. This issue can be triggered by certain modification dates, such as those set to an invalid year or an integer overflow resulting from a far future date. This flaw can potentially lead to unpredictable behavior in NGINX and could be exploited by malicious users to disrupt service.

References

http://nginx.org/en/CHANGES
x_refsource_MISC
https://trac.nginx.org/nginx/ticket/1368
x_refsource_MISC
https://github.com/nginx/nginx/commit/0206ebe76f748bb39d9...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.