CVE-2024-24989
Vulnerability from cvelistv5
Published
2024-02-14 16:30
Modified
2024-08-01 23:36
Severity ?
EPSS score ?
Summary
NGINX HTTP/3 QUIC vulnerability
References
Impacted products
▼ | Vendor | Product |
---|---|---|
F5 | NGINX Plus | |
F5 | NGINX Open Source |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-01T23:36:21.189Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://my.f5.com/manage/s/article/K000138444" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/05/30/4" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "modules": [ "HTTP/3", "QUIC" ], "product": "NGINX Plus", "vendor": "F5", "versions": [ { "lessThan": "R31 P1", "status": "affected", "version": "R31", "versionType": "custom" } ] }, { "defaultStatus": "unknown", "modules": [ "HTTP/3", "QUIC" ], "product": "NGINX Open Source", "vendor": "F5", "versions": [ { "lessThan": "1.25.4", "status": "affected", "version": "1.25.3", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "F5" } ], "datePublic": "2024-02-14T15:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cp\u003eWhen NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNote\u003c/strong\u003e: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://nginx.org/en/docs/quic.html\"\u003eSupport for QUIC and HTTP/3\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003e\n\nNOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated\n\n\u003cbr\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e" } ], "value": "\nWhen NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.\n\nNote: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .\n\n\n\nNOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated\n\n\n\n\n\n\n\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-02-14T16:30:26.081Z", "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://my.f5.com/manage/s/article/K000138444" }, { "url": "http://www.openwall.com/lists/oss-security/2024/05/30/4" } ], "source": { "discovery": "INTERNAL" }, "title": "NGINX HTTP/3 QUIC vulnerability", "x_generator": { "engine": "F5 SIRTBot v1.0" } } }, "cveMetadata": { "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "assignerShortName": "f5", "cveId": "CVE-2024-24989", "datePublished": "2024-02-14T16:30:26.081Z", "dateReserved": "2024-02-02T00:32:55.375Z", "dateUpdated": "2024-08-01T23:36:21.189Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-24989\",\"sourceIdentifier\":\"f5sirt@f5.com\",\"published\":\"2024-02-14T17:15:15.513\",\"lastModified\":\"2024-06-10T17:16:21.607\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nWhen NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.\\n\\nNote: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .\\n\\n\\n\\nNOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated\\n\\n\\n\\n\\n\\n\\n\\n\\n\"},{\"lang\":\"es\",\"value\":\"Cuando NGINX Plus o NGINX OSS est\u00e1n configurados para usar el m\u00f3dulo HTTP/3 QUIC, las solicitudes no divulgadas pueden hacer que los procesos de trabajo de NGINX finalicen. Nota: El m\u00f3dulo HTTP/3 QUIC no est\u00e1 habilitado de forma predeterminada y se considera experimental. Para obtener m\u00e1s informaci\u00f3n, consulte Compatibilidad con QUIC y HTTP/3 https://nginx.org/en/docs/quic.html. NOTA: Las versiones de software que han llegado al final del soporte t\u00e9cnico (EoTS) no se eval\u00faan\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2024/05/30/4\",\"source\":\"f5sirt@f5.com\"},{\"url\":\"https://my.f5.com/manage/s/article/K000138444\",\"source\":\"f5sirt@f5.com\"}]}}" } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.