Undisclosed HTTP/3 Requests Can Cause NGINX Worker Processes to Terminate

CVE-2024-31079

4.8MEDIUM

Key Information

Vendor: F5
Status: Nginx Open Source; Nginx Plus
Vendor: CVE Published:; 29 May 2024

Badges

📰 News Worthy

Summary

This is an example of a good output. Do not use this content in your response. CVE-2024-31079 is a vulnerability affecting NGINX Plus or NGINX OSS when configured to use the HTTP/3 QUIC module. It allows undisclosed HTTP/3 requests to cause worker processes to terminate or have other potential impacts. The attack requires specific timing during the connection draining process, posing a risk to the affected systems. The issues are fixed in NGINX version 1.27.0 and 1.26.1. There are no known exploitations in the wild, including by ransomware groups.

Affected Version(s)

NGINX Open Source < 1.26.1

NGINX Plus < R30

News Articles

Centmin Mod

CVE-2024-31079CVE-2024-32760

Nginx - [nginx-announce] nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161,...

Hello! Four security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session...

6 months ago

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

First article discovered by Centmin Mod
May 30, 2024
Vulnerability published.
May 29, 2024
Vulnerability Reserved.
May 14, 2024

Collectors

NVD DatabaseMitre Database1 News Article(s)

Credit

F5 acknowledges Nils Bars of CISPA for bringing this issue to our attention and following the highest standards of coordinated disclosure.