NGINX ngx_http_mp4_module vulnerability CVE-2022-41742
CVE-2022-41742

7.1HIGH

Key Information:

Vendor: F5
Status: Nginx; Nginx Plus; Nginx Open Source Subscription
Vendor: CVE Published:; 19 October 2022

What is CVE-2022-41742?

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.

Affected Version(s)

NGINX Mainline < 1.23.2

NGINX Stable < 1.22.1

NGINX Open Source Subscription R2

References

https://support.f5.com/csp/article/K28112382

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 19, 2022
Vulnerability Reserved
Sep 28, 2022

F5

What is CVE-2022-41742?

Affected Version(s)

References

CVSS V3.1

Timeline