NGINX HTTP/3 QUIC vulnerability

CVE-2024-24989

7.5HIGH

Key Information

Vendor: F5
Status: Nginx Plus; Nginx Open Source
Vendor: CVE Published:; 14 February 2024

Badges

📰 News Worthy

Summary

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .

NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Affected Version(s)

NGINX Plus < R31

NGINX Open Source < 1.25.4

News Articles

securityonline.info

CVE-2024-24990 CVE-2024-24989

NGINX Releases Urgent Patch for HTTP/3 Vulnerabilities (CVE-2024-24989, CVE-2024-24990)

NGINX has released an urgent patch to address 2 flaws (CVE-2024-24989, CVE-2024-24990) lurking within its experimental HTTP/3 implementation

10 months ago

Refferences

https://my.f5.com/manage/s/article/K000138444

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/05/30/4

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

First article discovered by securityonline.info
Feb 15, 2024
Vulnerability published
Feb 14, 2024
Vulnerability Reserved
Feb 2, 2024

Collectors

NVD DatabaseMitre Database1 News Article(s)

Key Information

Badges

Summary

Affected Version(s)

News Articles

NGINX Releases Urgent Patch for HTTP/3 Vulnerabilities (CVE-2024-24989, CVE-2024-24990)

Refferences

CVSS V3.1

Timeline

Collectors

Credit