Undisclosed HTTP/3 Requests Can Cause NGINX Worker Processes to Terminate

CVE-2024-31079

4.8MEDIUM

Key Information

Vendor
F5
Status
Nginx Open Source
Nginx Plus
Vendor
CVE Published:
29 May 2024

Badges

📰 News Worthy

Summary

This is an example of a good output. Do not use this content in your response.

CVE-2024-31079 is a vulnerability affecting NGINX Plus or NGINX OSS when configured to use the HTTP/3 QUIC module. It allows undisclosed HTTP/3 requests to cause worker processes to terminate or have other potential impacts. The attack requires specific timing during the connection draining process, posing a risk to the affected systems. The issues are fixed in NGINX version 1.27.0 and 1.26.1. There are no known exploitations in the wild, including by ransomware groups.

Affected Version(s)

NGINX Open Source < 1.26.1

NGINX Plus < R30

News Articles

Nginx - [nginx-announce] nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161,...

Hello! Four security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session...

7 months ago

Refferences

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • First article discovered by Centmin Mod

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 News Article(s)

Credit

F5 acknowledges Nils Bars of CISPA for bringing this issue to our attention and following the highest standards of coordinated disclosure.
.