NGINX HTTP/3 QUIC vulnerability
CVE-2024-24989

7.5HIGH

Key Information:

Vendor

F5
Status
Nginx Plus
Nginx Open Source
Vendor
CVE Published:
14 February 2024

Badges

📰 News Worthy

What is CVE-2024-24989?

When configured to utilize the experimental HTTP/3 QUIC module, NGINX Plus and NGINX OSS are susceptible to issues where certain undisclosed requests can lead to the termination of worker processes. This flaw poses potential disruptions in service and affects the reliability of applications relying on these web server solutions. The HTTP/3 QUIC module is not enabled by default, which limits exposure but warrants caution for users who decide to enable it. For additional insights on configuration and implications, refer to the official documentation on QUIC and HTTP/3.

Affected Version(s)

NGINX Open Source 1.25.3 < 1.25.4

NGINX Plus R31

News Articles

favicon imagesecurityonline.info

NGINX Releases Urgent Patch for HTTP/3 Vulnerabilities (CVE-2024-24989, CVE-2024-24990)

NGINX has released an urgent patch to address 2 flaws (CVE-2024-24989, CVE-2024-24990) lurking within its experimental HTTP/3 implementation

References

https://my.f5.com/manage/s/article/K000138444
vendor-advisory
http://www.openwall.com/lists/oss-security/2024/05/30/4

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by securityonline.info

  • Vulnerability published

  • Vulnerability Reserved

Credit

F5
JSON
.