NGINX ngx_http_hls_module vulnerability CVE-2022-41743
CVE-2022-41743

7HIGH

Key Information:

Vendor: F5
Status: Nginx Plus
Vendor: CVE Published:; 19 October 2022

Summary

NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or potential other impact using a specially crafted audio or video file. The issue affects only NGINX Plus when the hls directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_hls_module.

Affected Version(s)

NGINX Plus R27

NGINX Plus R1

References

https://support.f5.com/csp/article/K01112063

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 19, 2022
Vulnerability Reserved
Sep 28, 2022