Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-16845 (GCVE-0-2018-16845)
Vulnerability from cvelistv5 – Published: 2018-11-07 14:00 – Updated: 2024-08-05 10:32
VLAI
EPSS
Summary
nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
Severity
8.2 (High)
CWE
Assigner
References
14 references
Impacted products
Date Public
2018-11-06 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:32:54.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4335",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4335"
},
{
"name": "RHSA-2018:3680",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3680"
},
{
"name": "RHSA-2018:3681",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3681"
},
{
"name": "105868",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105868"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845"
},
{
"name": "1042039",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1042039"
},
{
"name": "[debian-lts-announce] 20181108 [SECURITY] [DLA 1572-1] nginx security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html"
},
{
"name": "RHSA-2018:3653",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3653"
},
{
"name": "RHSA-2018:3652",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3652"
},
{
"name": "USN-3812-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3812-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html"
},
{
"name": "openSUSE-SU-2019:2120",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT212818"
},
{
"name": "20210921 APPLE-SA-2021-09-20-4 Xcode 13",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/36"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nginx",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "1.15.6"
},
{
"status": "affected",
"version": "1.14.1"
}
]
}
],
"datePublic": "2018-11-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-21T23:07:09.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "DSA-4335",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4335"
},
{
"name": "RHSA-2018:3680",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3680"
},
{
"name": "RHSA-2018:3681",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3681"
},
{
"name": "105868",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105868"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845"
},
{
"name": "1042039",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1042039"
},
{
"name": "[debian-lts-announce] 20181108 [SECURITY] [DLA 1572-1] nginx security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html"
},
{
"name": "RHSA-2018:3653",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3653"
},
{
"name": "RHSA-2018:3652",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3652"
},
{
"name": "USN-3812-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3812-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html"
},
{
"name": "openSUSE-SU-2019:2120",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/kb/HT212818"
},
{
"name": "20210921 APPLE-SA-2021-09-20-4 Xcode 13",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/36"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-16845",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "nginx",
"version": {
"version_data": [
{
"version_value": "1.15.6"
},
{
"version_value": "1.14.1"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "8.2/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4335",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4335"
},
{
"name": "RHSA-2018:3680",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3680"
},
{
"name": "RHSA-2018:3681",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3681"
},
{
"name": "105868",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105868"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845"
},
{
"name": "1042039",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1042039"
},
{
"name": "[debian-lts-announce] 20181108 [SECURITY] [DLA 1572-1] nginx security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html"
},
{
"name": "RHSA-2018:3653",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3653"
},
{
"name": "RHSA-2018:3652",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3652"
},
{
"name": "USN-3812-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3812-1/"
},
{
"name": "http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html",
"refsource": "MISC",
"url": "http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html"
},
{
"name": "openSUSE-SU-2019:2120",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
},
{
"name": "https://support.apple.com/kb/HT212818",
"refsource": "CONFIRM",
"url": "https://support.apple.com/kb/HT212818"
},
{
"name": "20210921 APPLE-SA-2021-09-20-4 Xcode 13",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Sep/36"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-16845",
"datePublished": "2018-11-07T14:00:00.000Z",
"dateReserved": "2018-09-11T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:32:54.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2018-16845",
"date": "2026-05-27",
"epss": "0.04022",
"percentile": "0.88626"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.0.7\", \"versionEndIncluding\": \"1.0.15\", \"matchCriteriaId\": \"774FF59B-7E9B-4DFE-BDDA-3261321F62A8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.1.3\", \"versionEndIncluding\": \"1.15.5\", \"matchCriteriaId\": \"72F0096B-D1BF-4F0E-960B-42666438B6FD\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*\", \"matchCriteriaId\": \"815D70A8-47D3-459C-A32C-9FEACA0659D1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07C312A0-CD2C-4B9C-B064-6409B25C278F\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B620311B-34A3-48A6-82DF-6F078D7A4493\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"13.0\", \"matchCriteriaId\": \"BB279F6B-EE4C-4885-9CD4-657F6BD2548F\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.\"}, {\"lang\": \"es\", \"value\": \"nginx en versiones anteriores a la 1.15.6 y 1.14.1 tiene una vulnerabilidad en ngx_http_mp4_module, que podr\\u00eda permitir que un atacante provoque un bucle infinito en un proceso worker o resulte en la divulgaci\\u00f3n de la memoria del proceso mediante el uso de un archivo mp4 especialmente manipulado. El problema solo afecta a nginx si est\\u00e1 incluido con ngx_http_mp4_module (el m\\u00f3dulo no est\\u00e1 incluido por defecto) y se emplea la directiva .mp4 en el archivo de configuraci\\u00f3n. Adem\\u00e1s, el atacante solo es posible si un atacante puede desencadenar el procesado de un archivo mp4 especialmente manipulado con ngx_http_mp4_module.\"}]",
"id": "CVE-2018-16845",
"lastModified": "2024-11-21T03:53:25.953",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 4.2}], \"cvssMetricV30\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:P\", \"baseScore\": 5.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2018-11-07T14:29:00.883",
"references": "[{\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2021/Sep/36\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/105868\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1042039\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:3652\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:3653\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:3680\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:3681\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://support.apple.com/kb/HT212818\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/3812-1/\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2018/dsa-4335\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2021/Sep/36\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/105868\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1042039\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:3652\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:3653\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:3680\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:3681\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://support.apple.com/kb/HT212818\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/3812-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2018/dsa-4335\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-835\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2018-16845\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2018-11-07T14:29:00.883\",\"lastModified\":\"2024-11-21T03:53:25.953\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.\"},{\"lang\":\"es\",\"value\":\"nginx en versiones anteriores a la 1.15.6 y 1.14.1 tiene una vulnerabilidad en ngx_http_mp4_module, que podr\u00eda permitir que un atacante provoque un bucle infinito en un proceso worker o resulte en la divulgaci\u00f3n de la memoria del proceso mediante el uso de un archivo mp4 especialmente manipulado. El problema solo afecta a nginx si est\u00e1 incluido con ngx_http_mp4_module (el m\u00f3dulo no est\u00e1 incluido por defecto) y se emplea la directiva .mp4 en el archivo de configuraci\u00f3n. Adem\u00e1s, el atacante solo es posible si un atacante puede desencadenar el procesado de un archivo mp4 especialmente manipulado con ngx_http_mp4_module.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":4.2}],\"cvssMetricV30\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:P\",\"baseScore\":5.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-835\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0.7\",\"versionEndIncluding\":\"1.0.15\",\"matchCriteriaId\":\"774FF59B-7E9B-4DFE-BDDA-3261321F62A8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.1.3\",\"versionEndIncluding\":\"1.15.5\",\"matchCriteriaId\":\"72F0096B-D1BF-4F0E-960B-42666438B6FD\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*\",\"matchCriteriaId\":\"815D70A8-47D3-459C-A32C-9FEACA0659D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07C312A0-CD2C-4B9C-B064-6409B25C278F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B620311B-34A3-48A6-82DF-6F078D7A4493\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"13.0\",\"matchCriteriaId\":\"BB279F6B-EE4C-4885-9CD4-657F6BD2548F\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2021/Sep/36\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/105868\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1042039\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:3652\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:3653\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:3680\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:3681\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT212818\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/3812-1/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4335\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2021/Sep/36\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/105868\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1042039\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:3652\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:3653\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:3680\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:3681\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT212818\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/3812-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4335\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
cleanstart-2026-xb16901
Vulnerability from cleanstart
Published
2026-01-30 17:13
Modified
2026-01-29 18:58
Summary
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers
Details
Multiple security vulnerabilities affect the nginx package. When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "nginx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.26.3-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the nginx package. When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-XB16901",
"modified": "2026-01-29T18:58:54Z",
"published": "2026-01-30T17:13:56.781902Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-XB16901.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7529"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-16845"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-20372"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-9511"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-9513"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-9516"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-23017"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-46461"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-46462"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-46463"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-25139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-3638"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-41741"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-41742"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-44487"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-31079"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-32760"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-34161"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-35200"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-7347"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-23419"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7529"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16845"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20372"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9513"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9516"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23017"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46461"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46462"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46463"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3638"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41741"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41742"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31079"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32760"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34161"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35200"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7347"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23419"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers",
"upstream": [
"CVE-2017-7529",
"CVE-2018-16845",
"CVE-2019-20372",
"CVE-2019-9511",
"CVE-2019-9513",
"CVE-2019-9516",
"CVE-2021-23017",
"CVE-2021-46461",
"CVE-2021-46462",
"CVE-2021-46463",
"CVE-2022-25139",
"CVE-2022-3638",
"CVE-2022-41741",
"CVE-2022-41742",
"CVE-2023-44487",
"CVE-2024-31079",
"CVE-2024-32760",
"CVE-2024-34161",
"CVE-2024-35200",
"CVE-2024-7347",
"CVE-2025-23419"
]
}
cleanstart-2026-zn32454
Vulnerability from cleanstart
Published
2026-02-27 00:50
Modified
2026-02-26 12:09
Summary
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers
Details
Multiple security vulnerabilities affect the nginx package. When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "nginx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.26.3-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the nginx package. When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-ZN32454",
"modified": "2026-02-26T12:09:56Z",
"published": "2026-02-27T00:50:08.716833Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-ZN32454.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7529"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-16845"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-20372"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-9511"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-9513"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-9516"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-23017"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-46461"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-46462"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-46463"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-25139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-3638"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-41741"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-41742"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-44487"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-31079"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-32760"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-34161"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-35200"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-7347"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-23419"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7529"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16845"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20372"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9513"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9516"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23017"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46461"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46462"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46463"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3638"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41741"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41742"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31079"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32760"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34161"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35200"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7347"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23419"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers",
"upstream": [
"CVE-2017-7529",
"CVE-2018-16845",
"CVE-2019-20372",
"CVE-2019-9511",
"CVE-2019-9513",
"CVE-2019-9516",
"CVE-2021-23017",
"CVE-2021-46461",
"CVE-2021-46462",
"CVE-2021-46463",
"CVE-2022-25139",
"CVE-2022-3638",
"CVE-2022-41741",
"CVE-2022-41742",
"CVE-2023-44487",
"CVE-2024-31079",
"CVE-2024-32760",
"CVE-2024-34161",
"CVE-2024-35200",
"CVE-2024-7347",
"CVE-2025-23419"
]
}
cleanstart-2026-zt77083
Vulnerability from cleanstart
Published
2026-02-18 00:40
Modified
2026-02-17 14:16
Summary
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers
Details
Multiple security vulnerabilities affect the nginx package. When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "nginx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.26.3-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the nginx package. When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-ZT77083",
"modified": "2026-02-17T14:16:07Z",
"published": "2026-02-18T00:40:43.959662Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-ZT77083.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7529"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-16845"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-20372"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-9511"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-9513"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-9516"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-23017"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-46461"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-46462"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-46463"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-25139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-3638"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-41741"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-41742"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-44487"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-31079"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-32760"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-34161"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-35200"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-7347"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-23419"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7529"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16845"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20372"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9513"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9516"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23017"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46461"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46462"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46463"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3638"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41741"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41742"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31079"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32760"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34161"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35200"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7347"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23419"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers",
"upstream": [
"CVE-2017-7529",
"CVE-2018-16845",
"CVE-2019-20372",
"CVE-2019-9511",
"CVE-2019-9513",
"CVE-2019-9516",
"CVE-2021-23017",
"CVE-2021-46461",
"CVE-2021-46462",
"CVE-2021-46463",
"CVE-2022-25139",
"CVE-2022-3638",
"CVE-2022-41741",
"CVE-2022-41742",
"CVE-2023-44487",
"CVE-2024-31079",
"CVE-2024-32760",
"CVE-2024-34161",
"CVE-2024-35200",
"CVE-2024-7347",
"CVE-2025-23419"
]
}
CNVD-2018-22807
Vulnerability from cnvd - Published: 2018-11-09
VLAI
Title
nginx ngx_http_mp4_module组件内存泄露漏洞
Description
nginx是一款轻量级Web服务器/反向代理服务器及电子邮件(IMAP/POP3)代理服务器。
Nginx 1.15.5及之前的版本和1.14.1版本中的ngx_http_mp4_module组件存在内存泄露漏洞,该漏洞源于程序未能正确处理MP4文件。远程攻击者可利用该漏洞获取敏感信息或造成拒绝服务。
Severity
中
Patch Name
nginx ngx_http_mp4_module组件内存泄露漏洞的补丁
Patch Description
nginx是一款轻量级Web服务器/反向代理服务器及电子邮件(IMAP/POP3)代理服务器。
Nginx 1.15.5及之前的版本和1.14.1版本中的ngx_http_mp4_module组件存在内存泄露漏洞,该漏洞源于程序未能正确处理MP4文件。远程攻击者可利用该漏洞获取敏感信息或造成拒绝服务。 目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布漏洞修复程序,请及时关注更新: http://nginx.org/download/patch.2018.mp4.txt
Reference
https://securitytracker.com/id/1042039
Impacted products
| Name | ['Nginx nginx 1.1.3+', 'Nginx nginx 1.0.7+', 'Nginx nginx 1.14.1', 'Nginx nginx <=1.15.5'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2018-16845"
}
},
"description": "nginx\u662f\u4e00\u6b3e\u8f7b\u91cf\u7ea7Web\u670d\u52a1\u5668/\u53cd\u5411\u4ee3\u7406\u670d\u52a1\u5668\u53ca\u7535\u5b50\u90ae\u4ef6\uff08IMAP/POP3\uff09\u4ee3\u7406\u670d\u52a1\u5668\u3002\n\nNginx 1.15.5\u53ca\u4e4b\u524d\u7684\u7248\u672c\u548c1.14.1\u7248\u672c\u4e2d\u7684ngx_http_mp4_module\u7ec4\u4ef6\u5b58\u5728\u5185\u5b58\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u5904\u7406MP4\u6587\u4ef6\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
"discovererName": "Sam Fowler",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttp://nginx.org/download/patch.2018.mp4.txt",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2018-22807",
"openTime": "2018-11-09",
"patchDescription": "nginx\u662f\u4e00\u6b3e\u8f7b\u91cf\u7ea7Web\u670d\u52a1\u5668/\u53cd\u5411\u4ee3\u7406\u670d\u52a1\u5668\u53ca\u7535\u5b50\u90ae\u4ef6\uff08IMAP/POP3\uff09\u4ee3\u7406\u670d\u52a1\u5668\u3002\r\n\r\nNginx 1.15.5\u53ca\u4e4b\u524d\u7684\u7248\u672c\u548c1.14.1\u7248\u672c\u4e2d\u7684ngx_http_mp4_module\u7ec4\u4ef6\u5b58\u5728\u5185\u5b58\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u5904\u7406MP4\u6587\u4ef6\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002 \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "nginx ngx_http_mp4_module\u7ec4\u4ef6\u5185\u5b58\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Nginx nginx 1.1.3+",
"Nginx nginx 1.0.7+",
"Nginx nginx 1.14.1",
"Nginx nginx \u003c=1.15.5"
]
},
"referenceLink": "https://securitytracker.com/id/1042039",
"serverity": "\u4e2d",
"submitTime": "2018-11-07",
"title": "nginx ngx_http_mp4_module\u7ec4\u4ef6\u5185\u5b58\u6cc4\u9732\u6f0f\u6d1e"
}
FKIE_CVE-2018-16845
Vulnerability from fkie_nvd - Published: 2018-11-07 14:29 - Updated: 2024-11-21 03:53
Severity
Summary
nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html | Mailing List, Third Party Advisory | |
| secalert@redhat.com | http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html | Mailing List, Patch, Vendor Advisory | |
| secalert@redhat.com | http://seclists.org/fulldisclosure/2021/Sep/36 | Mailing List, Third Party Advisory | |
| secalert@redhat.com | http://www.securityfocus.com/bid/105868 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | http://www.securitytracker.com/id/1042039 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2018:3652 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2018:3653 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2018:3680 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2018:3681 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html | Mailing List, Third Party Advisory | |
| secalert@redhat.com | https://support.apple.com/kb/HT212818 | Third Party Advisory | |
| secalert@redhat.com | https://usn.ubuntu.com/3812-1/ | Patch, Third Party Advisory | |
| secalert@redhat.com | https://www.debian.org/security/2018/dsa-4335 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html | Mailing List, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2021/Sep/36 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/105868 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securitytracker.com/id/1042039 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2018:3652 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2018:3653 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2018:3680 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2018:3681 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.apple.com/kb/HT212818 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://usn.ubuntu.com/3812-1/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2018/dsa-4335 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx | * | |
| f5 | nginx | * | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 18.10 | |
| opensuse | leap | 15.1 | |
| apple | xcode | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*",
"matchCriteriaId": "774FF59B-7E9B-4DFE-BDDA-3261321F62A8",
"versionEndIncluding": "1.0.15",
"versionStartIncluding": "1.0.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72F0096B-D1BF-4F0E-960B-42666438B6FD",
"versionEndIncluding": "1.15.5",
"versionStartIncluding": "1.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*",
"matchCriteriaId": "07C312A0-CD2C-4B9C-B064-6409B25C278F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB279F6B-EE4C-4885-9CD4-657F6BD2548F",
"versionEndExcluding": "13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module."
},
{
"lang": "es",
"value": "nginx en versiones anteriores a la 1.15.6 y 1.14.1 tiene una vulnerabilidad en ngx_http_mp4_module, que podr\u00eda permitir que un atacante provoque un bucle infinito en un proceso worker o resulte en la divulgaci\u00f3n de la memoria del proceso mediante el uso de un archivo mp4 especialmente manipulado. El problema solo afecta a nginx si est\u00e1 incluido con ngx_http_mp4_module (el m\u00f3dulo no est\u00e1 incluido por defecto) y se emplea la directiva .mp4 en el archivo de configuraci\u00f3n. Adem\u00e1s, el atacante solo es posible si un atacante puede desencadenar el procesado de un archivo mp4 especialmente manipulado con ngx_http_mp4_module."
}
],
"id": "CVE-2018-16845",
"lastModified": "2024-11-21T03:53:25.953",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "secalert@redhat.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-11-07T14:29:00.883",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/36"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105868"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1042039"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3652"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3653"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3680"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3681"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT212818"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3812-1/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4335"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/36"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105868"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1042039"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3652"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3653"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3680"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3681"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT212818"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3812-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4335"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
GHSA-VQ5F-VPGW-9VCP
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03
VLAI
Details
nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
Severity
6.1 (Medium)
{
"affected": [],
"aliases": [
"CVE-2018-16845"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-07T14:29:00Z",
"severity": "MODERATE"
},
"details": "nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.",
"id": "GHSA-vq5f-vpgw-9vcp",
"modified": "2022-05-13T01:03:32Z",
"published": "2022-05-13T01:03:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16845"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3652"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3653"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3680"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3681"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT212818"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3812-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4335"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
},
{
"type": "WEB",
"url": "http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Sep/36"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105868"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1042039"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GSD-2018-16845
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-16845",
"description": "nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.",
"id": "GSD-2018-16845",
"references": [
"https://www.suse.com/security/cve/CVE-2018-16845.html",
"https://www.debian.org/security/2018/dsa-4335",
"https://access.redhat.com/errata/RHSA-2018:3681",
"https://access.redhat.com/errata/RHSA-2018:3680",
"https://access.redhat.com/errata/RHSA-2018:3653",
"https://access.redhat.com/errata/RHSA-2018:3652",
"https://ubuntu.com/security/CVE-2018-16845",
"https://advisories.mageia.org/CVE-2018-16845.html",
"https://linux.oracle.com/cve/CVE-2018-16845.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-16845"
],
"details": "nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.",
"id": "GSD-2018-16845",
"modified": "2023-12-13T01:22:26.415303Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-16845",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "nginx",
"version": {
"version_data": [
{
"version_value": "1.15.6"
},
{
"version_value": "1.14.1"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "8.2/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4335",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4335"
},
{
"name": "RHSA-2018:3680",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3680"
},
{
"name": "RHSA-2018:3681",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3681"
},
{
"name": "105868",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105868"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845"
},
{
"name": "1042039",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1042039"
},
{
"name": "[debian-lts-announce] 20181108 [SECURITY] [DLA 1572-1] nginx security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html"
},
{
"name": "RHSA-2018:3653",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3653"
},
{
"name": "RHSA-2018:3652",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3652"
},
{
"name": "USN-3812-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3812-1/"
},
{
"name": "http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html",
"refsource": "MISC",
"url": "http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html"
},
{
"name": "openSUSE-SU-2019:2120",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
},
{
"name": "https://support.apple.com/kb/HT212818",
"refsource": "CONFIRM",
"url": "https://support.apple.com/kb/HT212818"
},
{
"name": "20210921 APPLE-SA-2021-09-20-4 Xcode 13",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Sep/36"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.15",
"versionStartIncluding": "1.0.7",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.15.5",
"versionStartIncluding": "1.1.3",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "13.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-16845"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845"
},
{
"name": "http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html",
"refsource": "MISC",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html"
},
{
"name": "USN-3812-1",
"refsource": "UBUNTU",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3812-1/"
},
{
"name": "1042039",
"refsource": "SECTRACK",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1042039"
},
{
"name": "DSA-4335",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4335"
},
{
"name": "[debian-lts-announce] 20181108 [SECURITY] [DLA 1572-1] nginx security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html"
},
{
"name": "105868",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/105868"
},
{
"name": "RHSA-2018:3653",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3653"
},
{
"name": "RHSA-2018:3652",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3652"
},
{
"name": "RHSA-2018:3681",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3681"
},
{
"name": "RHSA-2018:3680",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3680"
},
{
"name": "openSUSE-SU-2019:2120",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"
},
{
"name": "https://support.apple.com/kb/HT212818",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT212818"
},
{
"name": "20210921 APPLE-SA-2021-09-20-4 Xcode 13",
"refsource": "FULLDISC",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Sep/36"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 4.2
}
},
"lastModifiedDate": "2022-02-22T19:27Z",
"publishedDate": "2018-11-07T14:29Z"
}
}
}
OPENSUSE-SU-2019:0195-1
Vulnerability from csaf_opensuse - Published: 2019-03-23 10:59 - Updated: 2019-03-23 10:59Summary
Security update for nginx
Severity
Moderate
Notes
Title of the patch: Security update for nginx
Description of the patch: This update for nginx fixes the following issues:
nginx was updated to 1.14.2:
- Bugfix: nginx could not be built on Fedora 28 Linux.
- Bugfix: in handling of client addresses when using unix domain
listen sockets to work with datagrams on Linux.
- Change: the logging level of the 'http request', 'https proxy
request', 'unsupported protocol', 'version too low',
'no suitable key share', and 'no suitable signature algorithm'
SSL errors has been lowered from 'crit' to 'info'.
- Bugfix: when using OpenSSL 1.1.0 or newer it was not possible
to switch off 'ssl_prefer_server_ciphers' in a virtual server
if it was switched on in the default server.
- Bugfix: nginx could not be built with LibreSSL 2.8.0.
- Bugfix: if nginx was built with OpenSSL 1.1.0 and used with
OpenSSL 1.1.1, the TLS 1.3 protocol was always enabled.
- Bugfix: sending a disk-buffered request body to a gRPC backend
might fail.
- Bugfix: connections with some gRPC backends might not be cached when
using the 'keepalive' directive.
- Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_mp4_module was used on 32-bit platforms.
Changes with nginx 1.14.1:
- Security: when using HTTP/2 a client might cause excessive memory
consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).
- Security: processing of a specially crafted mp4 file with the
ngx_http_mp4_module might result in worker process memory disclosure
(CVE-2018-16845).
- Bugfix: working with gRPC backends might result in excessive memory
consumption.
Changes with nginx 1.13.12:
- Bugfix: connections with gRPC backends might be closed unexpectedly
when returning a large response.
Changes with nginx 1.13.10
- Feature: the 'set' parameter of the 'include' SSI
directive now allows writing arbitrary responses to a
variable; the 'subrequest_output_buffer_size' directive
defines maximum response size.
- Feature: now nginx uses clock_gettime(CLOCK_MONOTONIC) if available,
to avoid timeouts being incorrectly triggered on system time changes.
- Feature: the 'escape=none' parameter of the 'log_format' directive.
Thanks to Johannes Baiter and Calin Don.
- Feature: the $ssl_preread_alpn_protocols variable in the
ngx_stream_ssl_preread_module.
- Feature: the ngx_http_grpc_module.
- Bugfix: in memory allocation error handling in the 'geo' directive.
- Bugfix: when using variables in the 'auth_basic_user_file' directive
a null character might appear in logs.
Thanks to Vadim Filimonov.
Patchnames: openSUSE-2019-195
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:nginx-1.14.2-16.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:nginx-1.14.2-16.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
8.2 (High)
Affected products
Recommended
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:nginx-1.14.2-16.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
18 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://bugzilla.suse.com/1115015 | self |
| https://bugzilla.suse.com/1115022 | self |
| https://bugzilla.suse.com/1115025 | self |
| https://www.suse.com/security/cve/CVE-2018-16843/ | self |
| https://www.suse.com/security/cve/CVE-2018-16844/ | self |
| https://www.suse.com/security/cve/CVE-2018-16845/ | self |
| https://www.suse.com/security/cve/CVE-2018-16843 | external |
| https://bugzilla.suse.com/1115022 | external |
| https://bugzilla.suse.com/1115025 | external |
| https://www.suse.com/security/cve/CVE-2018-16844 | external |
| https://bugzilla.suse.com/1115022 | external |
| https://bugzilla.suse.com/1115025 | external |
| https://www.suse.com/security/cve/CVE-2018-16845 | external |
| https://bugzilla.suse.com/1115015 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nginx",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nginx fixes the following issues:\n\nnginx was updated to 1.14.2:\n\n- Bugfix: nginx could not be built on Fedora 28 Linux.\n- Bugfix: in handling of client addresses when using unix domain\n listen sockets to work with datagrams on Linux.\n- Change: the logging level of the \u0027http request\u0027, \u0027https proxy\n request\u0027, \u0027unsupported protocol\u0027, \u0027version too low\u0027,\n \u0027no suitable key share\u0027, and \u0027no suitable signature algorithm\u0027\n SSL errors has been lowered from \u0027crit\u0027 to \u0027info\u0027.\n- Bugfix: when using OpenSSL 1.1.0 or newer it was not possible\n to switch off \u0027ssl_prefer_server_ciphers\u0027 in a virtual server\n if it was switched on in the default server.\n- Bugfix: nginx could not be built with LibreSSL 2.8.0.\n- Bugfix: if nginx was built with OpenSSL 1.1.0 and used with\n OpenSSL 1.1.1, the TLS 1.3 protocol was always enabled.\n- Bugfix: sending a disk-buffered request body to a gRPC backend\n might fail.\n- Bugfix: connections with some gRPC backends might not be cached when\n using the \u0027keepalive\u0027 directive.\n- Bugfix: a segmentation fault might occur in a worker process if the\n ngx_http_mp4_module was used on 32-bit platforms.\n\nChanges with nginx 1.14.1:\n\n- Security: when using HTTP/2 a client might cause excessive memory\n consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).\n- Security: processing of a specially crafted mp4 file with the\n ngx_http_mp4_module might result in worker process memory disclosure\n (CVE-2018-16845).\n- Bugfix: working with gRPC backends might result in excessive memory\n consumption.\n\nChanges with nginx 1.13.12:\n\n- Bugfix: connections with gRPC backends might be closed unexpectedly\n when returning a large response.\n\nChanges with nginx 1.13.10\n\n- Feature: the \u0027set\u0027 parameter of the \u0027include\u0027 SSI \n directive now allows writing arbitrary responses to a\n variable; the \u0027subrequest_output_buffer_size\u0027 directive\n defines maximum response size.\n- Feature: now nginx uses clock_gettime(CLOCK_MONOTONIC) if available,\n to avoid timeouts being incorrectly triggered on system time changes.\n- Feature: the \u0027escape=none\u0027 parameter of the \u0027log_format\u0027 directive.\n Thanks to Johannes Baiter and Calin Don.\n- Feature: the $ssl_preread_alpn_protocols variable in the\n ngx_stream_ssl_preread_module.\n- Feature: the ngx_http_grpc_module.\n- Bugfix: in memory allocation error handling in the \u0027geo\u0027 directive.\n- Bugfix: when using variables in the \u0027auth_basic_user_file\u0027 directive\n a null character might appear in logs.\n Thanks to Vadim Filimonov.\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2019-195",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_0195-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2019:0195-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BANOBXLWHZASXZTGTJCX7HNMKYECPLOA/#BANOBXLWHZASXZTGTJCX7HNMKYECPLOA"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2019:0195-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BANOBXLWHZASXZTGTJCX7HNMKYECPLOA/#BANOBXLWHZASXZTGTJCX7HNMKYECPLOA"
},
{
"category": "self",
"summary": "SUSE Bug 1115015",
"url": "https://bugzilla.suse.com/1115015"
},
{
"category": "self",
"summary": "SUSE Bug 1115022",
"url": "https://bugzilla.suse.com/1115022"
},
{
"category": "self",
"summary": "SUSE Bug 1115025",
"url": "https://bugzilla.suse.com/1115025"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16843 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16843/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16844 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16844/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16845 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16845/"
}
],
"title": "Security update for nginx",
"tracking": {
"current_release_date": "2019-03-23T10:59:22Z",
"generator": {
"date": "2019-03-23T10:59:22Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2019:0195-1",
"initial_release_date": "2019-03-23T10:59:22Z",
"revision_history": [
{
"date": "2019-03-23T10:59:22Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.14.2-16.1.aarch64",
"product": {
"name": "nginx-1.14.2-16.1.aarch64",
"product_id": "nginx-1.14.2-16.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "vim-plugin-nginx-1.14.2-16.1.noarch",
"product": {
"name": "vim-plugin-nginx-1.14.2-16.1.noarch",
"product_id": "vim-plugin-nginx-1.14.2-16.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.14.2-16.1.ppc64le",
"product": {
"name": "nginx-1.14.2-16.1.ppc64le",
"product_id": "nginx-1.14.2-16.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.14.2-16.1.s390x",
"product": {
"name": "nginx-1.14.2-16.1.s390x",
"product_id": "nginx-1.14.2-16.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.14.2-16.1.x86_64",
"product": {
"name": "nginx-1.14.2-16.1.x86_64",
"product_id": "nginx-1.14.2-16.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 12",
"product": {
"name": "SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:12"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.0",
"product": {
"name": "openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.14.2-16.1.aarch64 as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64"
},
"product_reference": "nginx-1.14.2-16.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.14.2-16.1.ppc64le as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le"
},
"product_reference": "nginx-1.14.2-16.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.14.2-16.1.s390x as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:nginx-1.14.2-16.1.s390x"
},
"product_reference": "nginx-1.14.2-16.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.14.2-16.1.x86_64 as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64"
},
"product_reference": "nginx-1.14.2-16.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vim-plugin-nginx-1.14.2-16.1.noarch as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch"
},
"product_reference": "vim-plugin-nginx-1.14.2-16.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.14.2-16.1.aarch64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64"
},
"product_reference": "nginx-1.14.2-16.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.14.2-16.1.ppc64le as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le"
},
"product_reference": "nginx-1.14.2-16.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.14.2-16.1.s390x as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x"
},
"product_reference": "nginx-1.14.2-16.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.14.2-16.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64"
},
"product_reference": "nginx-1.14.2-16.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vim-plugin-nginx-1.14.2-16.1.noarch as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch"
},
"product_reference": "vim-plugin-nginx-1.14.2-16.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16843",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16843"
}
],
"notes": [
{
"category": "general",
"text": "nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the \u0027http2\u0027 option of the \u0027listen\u0027 directive is used in a configuration file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64",
"SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le",
"SUSE Package Hub 12:nginx-1.14.2-16.1.s390x",
"SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64",
"SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64",
"openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16843",
"url": "https://www.suse.com/security/cve/CVE-2018-16843"
},
{
"category": "external",
"summary": "SUSE Bug 1115022 for CVE-2018-16843",
"url": "https://bugzilla.suse.com/1115022"
},
{
"category": "external",
"summary": "SUSE Bug 1115025 for CVE-2018-16843",
"url": "https://bugzilla.suse.com/1115025"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64",
"SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le",
"SUSE Package Hub 12:nginx-1.14.2-16.1.s390x",
"SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64",
"SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64",
"openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64",
"SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le",
"SUSE Package Hub 12:nginx-1.14.2-16.1.s390x",
"SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64",
"SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64",
"openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T10:59:22Z",
"details": "moderate"
}
],
"title": "CVE-2018-16843"
},
{
"cve": "CVE-2018-16844",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16844"
}
],
"notes": [
{
"category": "general",
"text": "nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the \u0027http2\u0027 option of the \u0027listen\u0027 directive is used in a configuration file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64",
"SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le",
"SUSE Package Hub 12:nginx-1.14.2-16.1.s390x",
"SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64",
"SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64",
"openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16844",
"url": "https://www.suse.com/security/cve/CVE-2018-16844"
},
{
"category": "external",
"summary": "SUSE Bug 1115022 for CVE-2018-16844",
"url": "https://bugzilla.suse.com/1115022"
},
{
"category": "external",
"summary": "SUSE Bug 1115025 for CVE-2018-16844",
"url": "https://bugzilla.suse.com/1115025"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64",
"SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le",
"SUSE Package Hub 12:nginx-1.14.2-16.1.s390x",
"SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64",
"SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64",
"openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64",
"SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le",
"SUSE Package Hub 12:nginx-1.14.2-16.1.s390x",
"SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64",
"SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64",
"openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T10:59:22Z",
"details": "moderate"
}
],
"title": "CVE-2018-16844"
},
{
"cve": "CVE-2018-16845",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16845"
}
],
"notes": [
{
"category": "general",
"text": "nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64",
"SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le",
"SUSE Package Hub 12:nginx-1.14.2-16.1.s390x",
"SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64",
"SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64",
"openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16845",
"url": "https://www.suse.com/security/cve/CVE-2018-16845"
},
{
"category": "external",
"summary": "SUSE Bug 1115015 for CVE-2018-16845",
"url": "https://bugzilla.suse.com/1115015"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64",
"SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le",
"SUSE Package Hub 12:nginx-1.14.2-16.1.s390x",
"SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64",
"SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64",
"openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
},
"products": [
"SUSE Package Hub 12:nginx-1.14.2-16.1.aarch64",
"SUSE Package Hub 12:nginx-1.14.2-16.1.ppc64le",
"SUSE Package Hub 12:nginx-1.14.2-16.1.s390x",
"SUSE Package Hub 12:nginx-1.14.2-16.1.x86_64",
"SUSE Package Hub 12:vim-plugin-nginx-1.14.2-16.1.noarch",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.aarch64",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.ppc64le",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.s390x",
"openSUSE Leap 15.0:nginx-1.14.2-16.1.x86_64",
"openSUSE Leap 15.0:vim-plugin-nginx-1.14.2-16.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-23T10:59:22Z",
"details": "important"
}
],
"title": "CVE-2018-16845"
}
]
}
OPENSUSE-SU-2019:2120-1
Vulnerability from csaf_opensuse - Published: 2019-09-10 18:18 - Updated: 2019-09-10 18:18Summary
Security update for nginx
Severity
Important
Notes
Title of the patch: Security update for nginx
Description of the patch: This update for nginx fixes the following issues:
Security issues fixed:
- CVE-2019-9511: Fixed a denial of service by manipulating the window size and stream prioritization (bsc#1145579).
- CVE-2019-9513: Fixed a denial of service caused by resource loops (bsc#1145580).
- CVE-2019-9516: Fixed a denial of service caused by header leaks (bsc#1145582).
- CVE-2018-16845: Fixed denial of service and memory disclosure via mp4 module (bsc#1115015).
- CVE-2018-16843: Fixed excessive memory consumption in HTTP/2 implementation (bsc#1115022).
- CVE-2018-16844: Fixed excessive CPU usage via flaw in HTTP/2 implementation (bsc#1115025).
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patchnames: openSUSE-2019-2120
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
8.2 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
40 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://bugzilla.suse.com/1115015 | self |
| https://bugzilla.suse.com/1115022 | self |
| https://bugzilla.suse.com/1115025 | self |
| https://bugzilla.suse.com/1145579 | self |
| https://bugzilla.suse.com/1145580 | self |
| https://bugzilla.suse.com/1145582 | self |
| https://www.suse.com/security/cve/CVE-2018-16843/ | self |
| https://www.suse.com/security/cve/CVE-2018-16844/ | self |
| https://www.suse.com/security/cve/CVE-2018-16845/ | self |
| https://www.suse.com/security/cve/CVE-2019-9511/ | self |
| https://www.suse.com/security/cve/CVE-2019-9513/ | self |
| https://www.suse.com/security/cve/CVE-2019-9516/ | self |
| https://www.suse.com/security/cve/CVE-2018-16843 | external |
| https://bugzilla.suse.com/1115022 | external |
| https://bugzilla.suse.com/1115025 | external |
| https://www.suse.com/security/cve/CVE-2018-16844 | external |
| https://bugzilla.suse.com/1115022 | external |
| https://bugzilla.suse.com/1115025 | external |
| https://www.suse.com/security/cve/CVE-2018-16845 | external |
| https://bugzilla.suse.com/1115015 | external |
| https://www.suse.com/security/cve/CVE-2019-9511 | external |
| https://bugzilla.suse.com/1145579 | external |
| https://bugzilla.suse.com/1146091 | external |
| https://bugzilla.suse.com/1146182 | external |
| https://bugzilla.suse.com/1193427 | external |
| https://bugzilla.suse.com/1202787 | external |
| https://www.suse.com/security/cve/CVE-2019-9513 | external |
| https://bugzilla.suse.com/1145580 | external |
| https://bugzilla.suse.com/1146094 | external |
| https://bugzilla.suse.com/1146184 | external |
| https://bugzilla.suse.com/1193427 | external |
| https://bugzilla.suse.com/1202787 | external |
| https://www.suse.com/security/cve/CVE-2019-9516 | external |
| https://bugzilla.suse.com/1145582 | external |
| https://bugzilla.suse.com/1146090 | external |
| https://bugzilla.suse.com/1193427 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nginx",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nginx fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-9511: Fixed a denial of service by manipulating the window size and stream prioritization (bsc#1145579).\n- CVE-2019-9513: Fixed a denial of service caused by resource loops (bsc#1145580).\n- CVE-2019-9516: Fixed a denial of service caused by header leaks (bsc#1145582).\n- CVE-2018-16845: Fixed denial of service and memory disclosure via mp4 module (bsc#1115015).\n- CVE-2018-16843: Fixed excessive memory consumption in HTTP/2 implementation (bsc#1115022).\n- CVE-2018-16844: Fixed excessive CPU usage via flaw in HTTP/2 implementation (bsc#1115025).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2019-2120",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_2120-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2019:2120-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BWXBLC3WM4NT33YQW6VEXFVCPFVQE7FB/#BWXBLC3WM4NT33YQW6VEXFVCPFVQE7FB"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2019:2120-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BWXBLC3WM4NT33YQW6VEXFVCPFVQE7FB/#BWXBLC3WM4NT33YQW6VEXFVCPFVQE7FB"
},
{
"category": "self",
"summary": "SUSE Bug 1115015",
"url": "https://bugzilla.suse.com/1115015"
},
{
"category": "self",
"summary": "SUSE Bug 1115022",
"url": "https://bugzilla.suse.com/1115022"
},
{
"category": "self",
"summary": "SUSE Bug 1115025",
"url": "https://bugzilla.suse.com/1115025"
},
{
"category": "self",
"summary": "SUSE Bug 1145579",
"url": "https://bugzilla.suse.com/1145579"
},
{
"category": "self",
"summary": "SUSE Bug 1145580",
"url": "https://bugzilla.suse.com/1145580"
},
{
"category": "self",
"summary": "SUSE Bug 1145582",
"url": "https://bugzilla.suse.com/1145582"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16843 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16843/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16844 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16844/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16845 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16845/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-9511 page",
"url": "https://www.suse.com/security/cve/CVE-2019-9511/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-9513 page",
"url": "https://www.suse.com/security/cve/CVE-2019-9513/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-9516 page",
"url": "https://www.suse.com/security/cve/CVE-2019-9516/"
}
],
"title": "Security update for nginx",
"tracking": {
"current_release_date": "2019-09-10T18:18:07Z",
"generator": {
"date": "2019-09-10T18:18:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2019:2120-1",
"initial_release_date": "2019-09-10T18:18:07Z",
"revision_history": [
{
"date": "2019-09-10T18:18:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nginx-source-1.14.2-lp151.4.3.1.noarch",
"product": {
"name": "nginx-source-1.14.2-lp151.4.3.1.noarch",
"product_id": "nginx-source-1.14.2-lp151.4.3.1.noarch"
}
},
{
"category": "product_version",
"name": "vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch",
"product": {
"name": "vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch",
"product_id": "vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.14.2-lp151.4.3.1.x86_64",
"product": {
"name": "nginx-1.14.2-lp151.4.3.1.x86_64",
"product_id": "nginx-1.14.2-lp151.4.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.14.2-lp151.4.3.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64"
},
"product_reference": "nginx-1.14.2-lp151.4.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-source-1.14.2-lp151.4.3.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch"
},
"product_reference": "nginx-source-1.14.2-lp151.4.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
},
"product_reference": "vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16843",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16843"
}
],
"notes": [
{
"category": "general",
"text": "nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the \u0027http2\u0027 option of the \u0027listen\u0027 directive is used in a configuration file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16843",
"url": "https://www.suse.com/security/cve/CVE-2018-16843"
},
{
"category": "external",
"summary": "SUSE Bug 1115022 for CVE-2018-16843",
"url": "https://bugzilla.suse.com/1115022"
},
{
"category": "external",
"summary": "SUSE Bug 1115025 for CVE-2018-16843",
"url": "https://bugzilla.suse.com/1115025"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-09-10T18:18:07Z",
"details": "moderate"
}
],
"title": "CVE-2018-16843"
},
{
"cve": "CVE-2018-16844",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16844"
}
],
"notes": [
{
"category": "general",
"text": "nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the \u0027http2\u0027 option of the \u0027listen\u0027 directive is used in a configuration file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16844",
"url": "https://www.suse.com/security/cve/CVE-2018-16844"
},
{
"category": "external",
"summary": "SUSE Bug 1115022 for CVE-2018-16844",
"url": "https://bugzilla.suse.com/1115022"
},
{
"category": "external",
"summary": "SUSE Bug 1115025 for CVE-2018-16844",
"url": "https://bugzilla.suse.com/1115025"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-09-10T18:18:07Z",
"details": "moderate"
}
],
"title": "CVE-2018-16844"
},
{
"cve": "CVE-2018-16845",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16845"
}
],
"notes": [
{
"category": "general",
"text": "nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16845",
"url": "https://www.suse.com/security/cve/CVE-2018-16845"
},
{
"category": "external",
"summary": "SUSE Bug 1115015 for CVE-2018-16845",
"url": "https://bugzilla.suse.com/1115015"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-09-10T18:18:07Z",
"details": "important"
}
],
"title": "CVE-2018-16845"
},
{
"cve": "CVE-2019-9511",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-9511"
}
],
"notes": [
{
"category": "general",
"text": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-9511",
"url": "https://www.suse.com/security/cve/CVE-2019-9511"
},
{
"category": "external",
"summary": "SUSE Bug 1145579 for CVE-2019-9511",
"url": "https://bugzilla.suse.com/1145579"
},
{
"category": "external",
"summary": "SUSE Bug 1146091 for CVE-2019-9511",
"url": "https://bugzilla.suse.com/1146091"
},
{
"category": "external",
"summary": "SUSE Bug 1146182 for CVE-2019-9511",
"url": "https://bugzilla.suse.com/1146182"
},
{
"category": "external",
"summary": "SUSE Bug 1193427 for CVE-2019-9511",
"url": "https://bugzilla.suse.com/1193427"
},
{
"category": "external",
"summary": "SUSE Bug 1202787 for CVE-2019-9511",
"url": "https://bugzilla.suse.com/1202787"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-09-10T18:18:07Z",
"details": "important"
}
],
"title": "CVE-2019-9511"
},
{
"cve": "CVE-2019-9513",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-9513"
}
],
"notes": [
{
"category": "general",
"text": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-9513",
"url": "https://www.suse.com/security/cve/CVE-2019-9513"
},
{
"category": "external",
"summary": "SUSE Bug 1145580 for CVE-2019-9513",
"url": "https://bugzilla.suse.com/1145580"
},
{
"category": "external",
"summary": "SUSE Bug 1146094 for CVE-2019-9513",
"url": "https://bugzilla.suse.com/1146094"
},
{
"category": "external",
"summary": "SUSE Bug 1146184 for CVE-2019-9513",
"url": "https://bugzilla.suse.com/1146184"
},
{
"category": "external",
"summary": "SUSE Bug 1193427 for CVE-2019-9513",
"url": "https://bugzilla.suse.com/1193427"
},
{
"category": "external",
"summary": "SUSE Bug 1202787 for CVE-2019-9513",
"url": "https://bugzilla.suse.com/1202787"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-09-10T18:18:07Z",
"details": "important"
}
],
"title": "CVE-2019-9513"
},
{
"cve": "CVE-2019-9516",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-9516"
}
],
"notes": [
{
"category": "general",
"text": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-9516",
"url": "https://www.suse.com/security/cve/CVE-2019-9516"
},
{
"category": "external",
"summary": "SUSE Bug 1145582 for CVE-2019-9516",
"url": "https://bugzilla.suse.com/1145582"
},
{
"category": "external",
"summary": "SUSE Bug 1146090 for CVE-2019-9516",
"url": "https://bugzilla.suse.com/1146090"
},
{
"category": "external",
"summary": "SUSE Bug 1193427 for CVE-2019-9516",
"url": "https://bugzilla.suse.com/1193427"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:nginx-1.14.2-lp151.4.3.1.x86_64",
"openSUSE Leap 15.1:nginx-source-1.14.2-lp151.4.3.1.noarch",
"openSUSE Leap 15.1:vim-plugin-nginx-1.14.2-lp151.4.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-09-10T18:18:07Z",
"details": "important"
}
],
"title": "CVE-2019-9516"
}
]
}
OPENSUSE-SU-2024:11092-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
nginx-1.21.3-1.4 on GA media
Severity
Moderate
Notes
Title of the patch: nginx-1.21.3-1.4 on GA media
Description of the patch: These are all security issues fixed in the nginx-1.21.3-1.4 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-11092
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.2 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
30 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://www.suse.com/security/cve/CVE-2017-7529/ | self |
| https://www.suse.com/security/cve/CVE-2018-16843/ | self |
| https://www.suse.com/security/cve/CVE-2018-16845/ | self |
| https://www.suse.com/security/cve/CVE-2019-20372/ | self |
| https://www.suse.com/security/cve/CVE-2019-9511/ | self |
| https://www.suse.com/security/cve/CVE-2019-9516/ | self |
| https://www.suse.com/security/cve/CVE-2021-23017/ | self |
| https://www.suse.com/security/cve/CVE-2017-7529 | external |
| https://bugzilla.suse.com/1048265 | external |
| https://www.suse.com/security/cve/CVE-2018-16843 | external |
| https://bugzilla.suse.com/1115022 | external |
| https://bugzilla.suse.com/1115025 | external |
| https://www.suse.com/security/cve/CVE-2018-16845 | external |
| https://bugzilla.suse.com/1115015 | external |
| https://www.suse.com/security/cve/CVE-2019-20372 | external |
| https://bugzilla.suse.com/1160682 | external |
| https://www.suse.com/security/cve/CVE-2019-9511 | external |
| https://bugzilla.suse.com/1145579 | external |
| https://bugzilla.suse.com/1146091 | external |
| https://bugzilla.suse.com/1146182 | external |
| https://bugzilla.suse.com/1193427 | external |
| https://bugzilla.suse.com/1202787 | external |
| https://www.suse.com/security/cve/CVE-2019-9516 | external |
| https://bugzilla.suse.com/1145582 | external |
| https://bugzilla.suse.com/1146090 | external |
| https://bugzilla.suse.com/1193427 | external |
| https://www.suse.com/security/cve/CVE-2021-23017 | external |
| https://bugzilla.suse.com/1186126 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "nginx-1.21.3-1.4 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the nginx-1.21.3-1.4 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11092",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11092-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-7529 page",
"url": "https://www.suse.com/security/cve/CVE-2017-7529/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16843 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16843/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16845 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16845/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-20372 page",
"url": "https://www.suse.com/security/cve/CVE-2019-20372/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-9511 page",
"url": "https://www.suse.com/security/cve/CVE-2019-9511/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-9516 page",
"url": "https://www.suse.com/security/cve/CVE-2019-9516/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-23017 page",
"url": "https://www.suse.com/security/cve/CVE-2021-23017/"
}
],
"title": "nginx-1.21.3-1.4 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11092-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.21.3-1.4.aarch64",
"product": {
"name": "nginx-1.21.3-1.4.aarch64",
"product_id": "nginx-1.21.3-1.4.aarch64"
}
},
{
"category": "product_version",
"name": "nginx-source-1.21.3-1.4.aarch64",
"product": {
"name": "nginx-source-1.21.3-1.4.aarch64",
"product_id": "nginx-source-1.21.3-1.4.aarch64"
}
},
{
"category": "product_version",
"name": "vim-plugin-nginx-1.21.3-1.4.aarch64",
"product": {
"name": "vim-plugin-nginx-1.21.3-1.4.aarch64",
"product_id": "vim-plugin-nginx-1.21.3-1.4.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.21.3-1.4.ppc64le",
"product": {
"name": "nginx-1.21.3-1.4.ppc64le",
"product_id": "nginx-1.21.3-1.4.ppc64le"
}
},
{
"category": "product_version",
"name": "nginx-source-1.21.3-1.4.ppc64le",
"product": {
"name": "nginx-source-1.21.3-1.4.ppc64le",
"product_id": "nginx-source-1.21.3-1.4.ppc64le"
}
},
{
"category": "product_version",
"name": "vim-plugin-nginx-1.21.3-1.4.ppc64le",
"product": {
"name": "vim-plugin-nginx-1.21.3-1.4.ppc64le",
"product_id": "vim-plugin-nginx-1.21.3-1.4.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.21.3-1.4.s390x",
"product": {
"name": "nginx-1.21.3-1.4.s390x",
"product_id": "nginx-1.21.3-1.4.s390x"
}
},
{
"category": "product_version",
"name": "nginx-source-1.21.3-1.4.s390x",
"product": {
"name": "nginx-source-1.21.3-1.4.s390x",
"product_id": "nginx-source-1.21.3-1.4.s390x"
}
},
{
"category": "product_version",
"name": "vim-plugin-nginx-1.21.3-1.4.s390x",
"product": {
"name": "vim-plugin-nginx-1.21.3-1.4.s390x",
"product_id": "vim-plugin-nginx-1.21.3-1.4.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nginx-1.21.3-1.4.x86_64",
"product": {
"name": "nginx-1.21.3-1.4.x86_64",
"product_id": "nginx-1.21.3-1.4.x86_64"
}
},
{
"category": "product_version",
"name": "nginx-source-1.21.3-1.4.x86_64",
"product": {
"name": "nginx-source-1.21.3-1.4.x86_64",
"product_id": "nginx-source-1.21.3-1.4.x86_64"
}
},
{
"category": "product_version",
"name": "vim-plugin-nginx-1.21.3-1.4.x86_64",
"product": {
"name": "vim-plugin-nginx-1.21.3-1.4.x86_64",
"product_id": "vim-plugin-nginx-1.21.3-1.4.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.21.3-1.4.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64"
},
"product_reference": "nginx-1.21.3-1.4.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.21.3-1.4.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le"
},
"product_reference": "nginx-1.21.3-1.4.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.21.3-1.4.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x"
},
"product_reference": "nginx-1.21.3-1.4.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-1.21.3-1.4.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64"
},
"product_reference": "nginx-1.21.3-1.4.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-source-1.21.3-1.4.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64"
},
"product_reference": "nginx-source-1.21.3-1.4.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-source-1.21.3-1.4.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le"
},
"product_reference": "nginx-source-1.21.3-1.4.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-source-1.21.3-1.4.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x"
},
"product_reference": "nginx-source-1.21.3-1.4.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nginx-source-1.21.3-1.4.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64"
},
"product_reference": "nginx-source-1.21.3-1.4.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vim-plugin-nginx-1.21.3-1.4.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64"
},
"product_reference": "vim-plugin-nginx-1.21.3-1.4.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vim-plugin-nginx-1.21.3-1.4.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le"
},
"product_reference": "vim-plugin-nginx-1.21.3-1.4.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vim-plugin-nginx-1.21.3-1.4.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x"
},
"product_reference": "vim-plugin-nginx-1.21.3-1.4.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vim-plugin-nginx-1.21.3-1.4.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
},
"product_reference": "vim-plugin-nginx-1.21.3-1.4.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-7529",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-7529"
}
],
"notes": [
{
"category": "general",
"text": "Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-7529",
"url": "https://www.suse.com/security/cve/CVE-2017-7529"
},
{
"category": "external",
"summary": "SUSE Bug 1048265 for CVE-2017-7529",
"url": "https://bugzilla.suse.com/1048265"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2017-7529"
},
{
"cve": "CVE-2018-16843",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16843"
}
],
"notes": [
{
"category": "general",
"text": "nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the \u0027http2\u0027 option of the \u0027listen\u0027 directive is used in a configuration file.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16843",
"url": "https://www.suse.com/security/cve/CVE-2018-16843"
},
{
"category": "external",
"summary": "SUSE Bug 1115022 for CVE-2018-16843",
"url": "https://bugzilla.suse.com/1115022"
},
{
"category": "external",
"summary": "SUSE Bug 1115025 for CVE-2018-16843",
"url": "https://bugzilla.suse.com/1115025"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2018-16843"
},
{
"cve": "CVE-2018-16845",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16845"
}
],
"notes": [
{
"category": "general",
"text": "nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16845",
"url": "https://www.suse.com/security/cve/CVE-2018-16845"
},
{
"category": "external",
"summary": "SUSE Bug 1115015 for CVE-2018-16845",
"url": "https://bugzilla.suse.com/1115015"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-16845"
},
{
"cve": "CVE-2019-20372",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-20372"
}
],
"notes": [
{
"category": "general",
"text": "NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-20372",
"url": "https://www.suse.com/security/cve/CVE-2019-20372"
},
{
"category": "external",
"summary": "SUSE Bug 1160682 for CVE-2019-20372",
"url": "https://bugzilla.suse.com/1160682"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-20372"
},
{
"cve": "CVE-2019-9511",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-9511"
}
],
"notes": [
{
"category": "general",
"text": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-9511",
"url": "https://www.suse.com/security/cve/CVE-2019-9511"
},
{
"category": "external",
"summary": "SUSE Bug 1145579 for CVE-2019-9511",
"url": "https://bugzilla.suse.com/1145579"
},
{
"category": "external",
"summary": "SUSE Bug 1146091 for CVE-2019-9511",
"url": "https://bugzilla.suse.com/1146091"
},
{
"category": "external",
"summary": "SUSE Bug 1146182 for CVE-2019-9511",
"url": "https://bugzilla.suse.com/1146182"
},
{
"category": "external",
"summary": "SUSE Bug 1193427 for CVE-2019-9511",
"url": "https://bugzilla.suse.com/1193427"
},
{
"category": "external",
"summary": "SUSE Bug 1202787 for CVE-2019-9511",
"url": "https://bugzilla.suse.com/1202787"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-9511"
},
{
"cve": "CVE-2019-9516",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-9516"
}
],
"notes": [
{
"category": "general",
"text": "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-9516",
"url": "https://www.suse.com/security/cve/CVE-2019-9516"
},
{
"category": "external",
"summary": "SUSE Bug 1145582 for CVE-2019-9516",
"url": "https://bugzilla.suse.com/1145582"
},
{
"category": "external",
"summary": "SUSE Bug 1146090 for CVE-2019-9516",
"url": "https://bugzilla.suse.com/1146090"
},
{
"category": "external",
"summary": "SUSE Bug 1193427 for CVE-2019-9516",
"url": "https://bugzilla.suse.com/1193427"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-9516"
},
{
"cve": "CVE-2021-23017",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-23017"
}
],
"notes": [
{
"category": "general",
"text": "A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-23017",
"url": "https://www.suse.com/security/cve/CVE-2021-23017"
},
{
"category": "external",
"summary": "SUSE Bug 1186126 for CVE-2021-23017",
"url": "https://bugzilla.suse.com/1186126"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:nginx-source-1.21.3-1.4.x86_64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.aarch64",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.ppc64le",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.s390x",
"openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-23017"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…