Undisclosed HTTP/3 Requests Can Cause NGINX Worker Processes to Terminate
CVE-2024-31079
4.8MEDIUM
Key Information
- Vendor
- F5
- Status
- Nginx Open Source
- Nginx Plus
- Vendor
- CVE Published:
- 29 May 2024
Badges
📰 News Worthy
Summary
This is an example of a good output. Do not use this content in your response.
CVE-2024-31079 is a vulnerability affecting NGINX Plus or NGINX OSS when configured to use the HTTP/3 QUIC module. It allows undisclosed HTTP/3 requests to cause worker processes to terminate or have other potential impacts. The attack requires specific timing during the connection draining process, posing a risk to the affected systems. The issues are fixed in NGINX version 1.27.0 and 1.26.1. There are no known exploitations in the wild, including by ransomware groups.
Affected Version(s)
NGINX Open Source < 1.26.1
NGINX Plus < R30
News Articles
Refferences
CVSS V3.1
Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
First article discovered by Centmin Mod
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database1 News Article(s)
Credit
F5 acknowledges Nils Bars of CISPA for bringing this issue to our attention and following the highest standards of coordinated disclosure.