NGINX ngx_http_mp4_module vulnerability CVE-2022-41741
CVE-2022-41741

7HIGH

Key Information:

Vendor

F5
Status
Nginx
Nginx Plus
Nginx Open Source Subscription
Vendor
CVE Published:
19 October 2022

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2022-41741?

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.

Affected Version(s)

NGINX Mainline < 1.23.2

NGINX Stable < 1.22.1

NGINX Open Source Subscription R2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-41741-742-Nginx-Vulnerability-Scanner
Created by moften

References

https://support.f5.com/csp/article/K81926432
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2022-41741 : NGINX ngx_http_mp4_module vulnerability CVE-2022-41741