Undisclosed HTTP/3 Requests Can Cause NGINX Worker Processes to Terminate
CVE-2024-31079

4.8MEDIUM

Key Information:

Vendor
F5
Status
Nginx Open Source
Nginx Plus
Vendor
CVE Published:
29 May 2024

Badges

πŸ“° News Worthy

Summary

This is an example of a good output. Do not use this content in your response.

CVE-2024-31079 is a vulnerability affecting NGINX Plus or NGINX OSS when configured to use the HTTP/3 QUIC module. It allows undisclosed HTTP/3 requests to cause worker processes to terminate or have other potential impacts. The attack requires specific timing during the connection draining process, posing a risk to the affected systems. The issues are fixed in NGINX version 1.27.0 and 1.26.1. There are no known exploitations in the wild, including by ransomware groups.

Affected Version(s)

NGINX Open Source 1.25.0 < 1.26.1

NGINX Plus R30

News Articles

favicon imageCentmin Mod

Nginx - [nginx-announce] nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161,...

Hello! Four security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session...

8 months ago

References

https://my.f5.com/manage/s/article/K000139611
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
http://www.openwall.com/lists/oss-security/2024/05/30/4

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“°

    First article discovered by Centmin Mod

  • Vulnerability published

  • Vulnerability Reserved

Credit

F5 acknowledges Nils Bars of CISPA for bringing this issue to our attention and following the highest standards of coordinated disclosure.
.