Undisclosed Requests Can Cause NGINX Worker Processes to Terminate
CVE-2024-24990

7.5HIGH

Key Information:

Vendor: F5
Status: Nginx Plus; Nginx Open Source
Vendor: CVE Published:; 14 February 2024

Badges

📰 News Worthy

What is CVE-2024-24990?

A vulnerability exists in NGINX Plus and NGINX OSS when the HTTP/3 QUIC module is enabled. This module, which is experimental and not enabled by default, can lead to undetermined requests that result in the termination of NGINX worker processes. This behavior can impact the stability and performance of applications relying on these server versions. Proper configurations and awareness of the module's current status are essential for maintaining service reliability.

Affected Version(s)

NGINX Open Source 1.25.0 < 1.25.4

NGINX Plus R31

NGINX Plus R30

News Articles

securityonline.info

CVE-2024-24990 CVE-2024-24989

NGINX Releases Urgent Patch for HTTP/3 Vulnerabilities (CVE-2024-24989, CVE-2024-24990)

NGINX has released an urgent patch to address 2 flaws (CVE-2024-24989, CVE-2024-24990) lurking within its experimental HTTP/3 implementation

References

https://my.f5.com/manage/s/article/K000138445

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/05/30/4

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by securityonline.info
Feb 15, 2024
Vulnerability published
Feb 14, 2024
Vulnerability Reserved
Feb 2, 2024

Credit

JSON

F5

Badges

What is CVE-2024-24990?

Affected Version(s)

News Articles

NGINX Releases Urgent Patch for HTTP/3 Vulnerabilities (CVE-2024-24989, CVE-2024-24990)

References

CVSS V3.1

Timeline

Credit