Undisclosed Requests Can Cause NGINX Worker Processes to Terminate
CVE-2024-24990

7.5HIGH

Key Information:

Vendor
F5
Status
Nginx Plus
Nginx Open Source
Vendor
CVE Published:
14 February 2024

Badges

πŸ“° News Worthy

Summary

A vulnerability exists in NGINX Plus and NGINX OSS when the HTTP/3 QUIC module is enabled. This module, which is experimental and not enabled by default, can lead to undetermined requests that result in the termination of NGINX worker processes. This behavior can impact the stability and performance of applications relying on these server versions. Proper configurations and awareness of the module's current status are essential for maintaining service reliability.

Affected Version(s)

NGINX Open Source 1.25.0 < 1.25.4

NGINX Plus R31

NGINX Plus R30

News Articles

favicon imagesecurityonline.info

NGINX Releases Urgent Patch for HTTP/3 Vulnerabilities (CVE-2024-24989, CVE-2024-24990)

NGINX has released an urgent patch to address 2 flaws (CVE-2024-24989, CVE-2024-24990) lurking within its experimental HTTP/3 implementation

11 months ago

References

https://my.f5.com/manage/s/article/K000138445
vendor-advisory
http://www.openwall.com/lists/oss-security/2024/05/30/4

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“°

    First article discovered by securityonline.info

  • Vulnerability published

  • Vulnerability Reserved

Credit

F5
.