VAR-202210-1347
Vulnerability from variot - Updated: 2023-12-18 10:54NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module. F5 BIG-IP and so on are all products of F5 Company in the United States. F5 BIG-IP is an application delivery platform that integrates functions such as network traffic management, application security management, and load balancing. F5 BIG-IQ is a software-based cloud management solution. F5 F5OS-A is an operating system software. F5 BIG-IP, BIG-IQ, F5OS-A, and F5OS-C have buffer error vulnerabilities. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Debian Security Advisory DSA-5281-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 15, 2022 https://www.debian.org/security/faq
Package : nginx CVE ID : CVE-2022-41741 CVE-2022-41742
It was discovered that parsing errors in the mp4 module of Nginx, a high-performance web and reverse proxy server, could result in denial of service, memory disclosure or potentially the execution of arbitrary code when processing a malformed mp4 file.
This module is only enabled in the nginx-extras binary package.
For the stable distribution (bullseye), these problems have been fixed in version 1.18.0-6.1+deb11u3.
We recommend that you upgrade your nginx packages.
For the detailed security status of nginx please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nginx
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNz9JcACgkQEMKTtsN8 Tjb4tg/7BRkAkF48UvvRjLolxVVuV1paSTRG8ArEeW3fHyA0fxs2UMuRL4ic1vqc i3wxAAfHvYoOnk+QBY20Ly2MN7S7OukNovKE9AZCPulyYkVjtIWNSBeY0PzCU60y RP/KCZAGoGEYi6s4SUrK194ved+7jIcybgLvvGA8FRKW3wTRvzRGMfR6NTLuP7B3 th0C5+KkapE8G5XlHWOIjv1h3Ok40cua7LtYx9RTITJ+wClvkJ6gPcCXXj/CnWWa PUvuEBwyr0PEBXfL9v1P8Eq1MmN+mWU9KeLYxIC+vcJxtpsYL67tMHIGTlDUgDVE FrXrDXi7XP/6hjl7t/J/cTPEwy/twX0emUQcUDlRNlOxh3skSmdPJP7DMu+t9UtQ suepgZ+oHfHh3gs9EWz2zRqbsVO03NjhKo9ebIjhe3H0P39cX3NN5qlSJeNTY45k VBDecnPQnhYqYuzqwXy5ZoUQDcU0Bo7zaUzeYhUsfXqrROV/tj+UTMrM2anHdQ4B kAOrCBpmGP1lLvDs2PzBcWmBtII/5VTKZep05xH0L+dZWDV07j1ekCzv3/kuKiMl GTJQ7yl3fgKjLdkjMFKQIfsm3xdYwzxjOmtEY86tUV0LjtdR2GlJtF4YdIQhA4b1 /R82ZisLfmZ4ElL+ua8iypLOe9reyO4EpVVDkeewFS64Ye1Wn3k=3mDY -----END PGP SIGNATURE----- . ========================================================================= Ubuntu Security Notice USN-5722-1 November 15, 2022
nginx vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in nginx.
Software Description: - nginx: small, powerful, scalable web/proxy server
Details:
It was discovered that nginx incorrectly handled certain memory operations in the ngx_http_mp4_module module. (CVE-2022-41741, CVE-2022-41742)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.10: nginx 1.22.0-1ubuntu1.1 nginx-common 1.22.0-1ubuntu1.1 nginx-core 1.22.0-1ubuntu1.1 nginx-extras 1.22.0-1ubuntu1.1 nginx-full 1.22.0-1ubuntu1.1 nginx-light 1.22.0-1ubuntu1.1
Ubuntu 22.04 LTS: nginx 1.18.0-6ubuntu14.3 nginx-common 1.18.0-6ubuntu14.3 nginx-core 1.18.0-6ubuntu14.3 nginx-extras 1.18.0-6ubuntu14.3 nginx-full 1.18.0-6ubuntu14.3 nginx-light 1.18.0-6ubuntu14.3
Ubuntu 20.04 LTS: nginx 1.18.0-0ubuntu1.4 nginx-common 1.18.0-0ubuntu1.4 nginx-core 1.18.0-0ubuntu1.4 nginx-extras 1.18.0-0ubuntu1.4 nginx-full 1.18.0-0ubuntu1.4 nginx-light 1.18.0-0ubuntu1.4
Ubuntu 18.04 LTS: nginx 1.14.0-0ubuntu1.11 nginx-common 1.14.0-0ubuntu1.11 nginx-core 1.14.0-0ubuntu1.11 nginx-extras 1.14.0-0ubuntu1.11 nginx-full 1.14.0-0ubuntu1.11 nginx-light 1.14.0-0ubuntu1.11
Ubuntu 16.04 ESM: nginx 1.10.3-0ubuntu0.16.04.5+esm5 nginx-common 1.10.3-0ubuntu0.16.04.5+esm5 nginx-core 1.10.3-0ubuntu0.16.04.5+esm5 nginx-extras 1.10.3-0ubuntu0.16.04.5+esm5 nginx-full 1.10.3-0ubuntu0.16.04.5+esm5 nginx-light 1.10.3-0ubuntu0.16.04.5+esm5
Ubuntu 14.04 ESM: nginx 1.4.6-1ubuntu3.9+esm4 nginx-common 1.4.6-1ubuntu3.9+esm4 nginx-core 1.4.6-1ubuntu3.9+esm4 nginx-extras 1.4.6-1ubuntu3.9+esm4 nginx-full 1.4.6-1ubuntu3.9+esm4 nginx-light 1.4.6-1ubuntu3.9+esm4
In general, a standard system update will make all the necessary changes.
References: https://ubuntu.com/security/notices/USN-5722-1 CVE-2022-41741, CVE-2022-41742
Package Information: https://launchpad.net/ubuntu/+source/nginx/1.22.0-1ubuntu1.1 https://launchpad.net/ubuntu/+source/nginx/1.18.0-6ubuntu14.3 https://launchpad.net/ubuntu/+source/nginx/1.18.0-0ubuntu1.4 https://launchpad.net/ubuntu/+source/nginx/1.14.0-0ubuntu1.11
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202210-1347",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "nginx ingress controller",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "1.12.4"
},
{
"model": "nginx",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "r1"
},
{
"model": "nginx",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "1.23.0"
},
{
"model": "nginx",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "r2"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "11.0"
},
{
"model": "nginx",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "1.22.0"
},
{
"model": "nginx ingress controller",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "2.4.0"
},
{
"model": "nginx ingress controller",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "1.9.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "37"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "36"
},
{
"model": "nginx",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "r27"
},
{
"model": "nginx",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "r22"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "35"
},
{
"model": "nginx",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "1.1.3"
},
{
"model": "nginx ingress controller",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "2.0.0"
},
{
"model": "nginx",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "1.23.1"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-41741"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.12.4",
"versionStartIncluding": "1.9.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f5:nginx:*:*:*:*:plus:*:*:*",
"cpe_name": [],
"versionEndIncluding": "r27",
"versionStartIncluding": "r22",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f5:nginx:1.23.1:*:*:*:open_source:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f5:nginx:1.23.0:*:*:*:open_source:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f5:nginx:*:*:*:*:open_source:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.22.0",
"versionStartIncluding": "1.1.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f5:nginx:r2:*:*:*:open_source_subscription:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:f5:nginx:r1:*:*:*:open_source_subscription:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-41741"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Debian",
"sources": [
{
"db": "PACKETSTORM",
"id": "169909"
}
],
"trust": 0.1
},
"cve": "CVE-2022-41741",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"author": "f5sirt@f5.com",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-41741",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "f5sirt@f5.com",
"id": "CVE-2022-41741",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202210-1419",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-41741"
},
{
"db": "NVD",
"id": "CVE-2022-41741"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-1419"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module. F5 BIG-IP and so on are all products of F5 Company in the United States. F5 BIG-IP is an application delivery platform that integrates functions such as network traffic management, application security management, and load balancing. F5 BIG-IQ is a software-based cloud management solution. F5 F5OS-A is an operating system software. F5 BIG-IP, BIG-IQ, F5OS-A, and F5OS-C have buffer error vulnerabilities. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5281-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nNovember 15, 2022 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : nginx\nCVE ID : CVE-2022-41741 CVE-2022-41742\n\nIt was discovered that parsing errors in the mp4 module of Nginx, a\nhigh-performance web and reverse proxy server, could result in denial\nof service, memory disclosure or potentially the execution of arbitrary\ncode when processing a malformed mp4 file. \n\nThis module is only enabled in the nginx-extras binary package. \n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 1.18.0-6.1+deb11u3. \n\nWe recommend that you upgrade your nginx packages. \n\nFor the detailed security status of nginx please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/nginx\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNz9JcACgkQEMKTtsN8\nTjb4tg/7BRkAkF48UvvRjLolxVVuV1paSTRG8ArEeW3fHyA0fxs2UMuRL4ic1vqc\ni3wxAAfHvYoOnk+QBY20Ly2MN7S7OukNovKE9AZCPulyYkVjtIWNSBeY0PzCU60y\nRP/KCZAGoGEYi6s4SUrK194ved+7jIcybgLvvGA8FRKW3wTRvzRGMfR6NTLuP7B3\nth0C5+KkapE8G5XlHWOIjv1h3Ok40cua7LtYx9RTITJ+wClvkJ6gPcCXXj/CnWWa\nPUvuEBwyr0PEBXfL9v1P8Eq1MmN+mWU9KeLYxIC+vcJxtpsYL67tMHIGTlDUgDVE\nFrXrDXi7XP/6hjl7t/J/cTPEwy/twX0emUQcUDlRNlOxh3skSmdPJP7DMu+t9UtQ\nsuepgZ+oHfHh3gs9EWz2zRqbsVO03NjhKo9ebIjhe3H0P39cX3NN5qlSJeNTY45k\nVBDecnPQnhYqYuzqwXy5ZoUQDcU0Bo7zaUzeYhUsfXqrROV/tj+UTMrM2anHdQ4B\nkAOrCBpmGP1lLvDs2PzBcWmBtII/5VTKZep05xH0L+dZWDV07j1ekCzv3/kuKiMl\nGTJQ7yl3fgKjLdkjMFKQIfsm3xdYwzxjOmtEY86tUV0LjtdR2GlJtF4YdIQhA4b1\n/R82ZisLfmZ4ElL+ua8iypLOe9reyO4EpVVDkeewFS64Ye1Wn3k=3mDY\n-----END PGP SIGNATURE-----\n. =========================================================================\nUbuntu Security Notice USN-5722-1\nNovember 15, 2022\n\nnginx vulnerabilities\n=========================================================================\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 22.10\n- Ubuntu 22.04 LTS\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS\n- Ubuntu 16.04 ESM\n- Ubuntu 14.04 ESM\n\nSummary:\n\nSeveral security issues were fixed in nginx. \n\nSoftware Description:\n- nginx: small, powerful, scalable web/proxy server\n\nDetails:\n\nIt was discovered that nginx incorrectly handled certain memory operations in\nthe ngx_http_mp4_module module. (CVE-2022-41741, CVE-2022-41742)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 22.10:\n nginx 1.22.0-1ubuntu1.1\n nginx-common 1.22.0-1ubuntu1.1\n nginx-core 1.22.0-1ubuntu1.1\n nginx-extras 1.22.0-1ubuntu1.1\n nginx-full 1.22.0-1ubuntu1.1\n nginx-light 1.22.0-1ubuntu1.1\n\nUbuntu 22.04 LTS:\n nginx 1.18.0-6ubuntu14.3\n nginx-common 1.18.0-6ubuntu14.3\n nginx-core 1.18.0-6ubuntu14.3\n nginx-extras 1.18.0-6ubuntu14.3\n nginx-full 1.18.0-6ubuntu14.3\n nginx-light 1.18.0-6ubuntu14.3\n\nUbuntu 20.04 LTS:\n nginx 1.18.0-0ubuntu1.4\n nginx-common 1.18.0-0ubuntu1.4\n nginx-core 1.18.0-0ubuntu1.4\n nginx-extras 1.18.0-0ubuntu1.4\n nginx-full 1.18.0-0ubuntu1.4\n nginx-light 1.18.0-0ubuntu1.4\n\nUbuntu 18.04 LTS:\n nginx 1.14.0-0ubuntu1.11\n nginx-common 1.14.0-0ubuntu1.11\n nginx-core 1.14.0-0ubuntu1.11\n nginx-extras 1.14.0-0ubuntu1.11\n nginx-full 1.14.0-0ubuntu1.11\n nginx-light 1.14.0-0ubuntu1.11\n\nUbuntu 16.04 ESM:\n nginx 1.10.3-0ubuntu0.16.04.5+esm5\n nginx-common 1.10.3-0ubuntu0.16.04.5+esm5\n nginx-core 1.10.3-0ubuntu0.16.04.5+esm5\n nginx-extras 1.10.3-0ubuntu0.16.04.5+esm5\n nginx-full 1.10.3-0ubuntu0.16.04.5+esm5\n nginx-light 1.10.3-0ubuntu0.16.04.5+esm5\n\nUbuntu 14.04 ESM:\n nginx 1.4.6-1ubuntu3.9+esm4\n nginx-common 1.4.6-1ubuntu3.9+esm4\n nginx-core 1.4.6-1ubuntu3.9+esm4\n nginx-extras 1.4.6-1ubuntu3.9+esm4\n nginx-full 1.4.6-1ubuntu3.9+esm4\n nginx-light 1.4.6-1ubuntu3.9+esm4\n\nIn general, a standard system update will make all the necessary changes. \n\nReferences:\n https://ubuntu.com/security/notices/USN-5722-1\n CVE-2022-41741, CVE-2022-41742\n\nPackage Information:\n https://launchpad.net/ubuntu/+source/nginx/1.22.0-1ubuntu1.1\n https://launchpad.net/ubuntu/+source/nginx/1.18.0-6ubuntu14.3\n https://launchpad.net/ubuntu/+source/nginx/1.18.0-0ubuntu1.4\n https://launchpad.net/ubuntu/+source/nginx/1.14.0-0ubuntu1.11\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-41741"
},
{
"db": "VULHUB",
"id": "VHN-429567"
},
{
"db": "PACKETSTORM",
"id": "169909"
},
{
"db": "PACKETSTORM",
"id": "169833"
}
],
"trust": 1.17
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-41741",
"trust": 1.9
},
{
"db": "PACKETSTORM",
"id": "169909",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "169833",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202210-1419",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2022.5236",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.6109",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5959",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-429567",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-429567"
},
{
"db": "PACKETSTORM",
"id": "169909"
},
{
"db": "PACKETSTORM",
"id": "169833"
},
{
"db": "NVD",
"id": "CVE-2022-41741"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-1419"
}
]
},
"id": "VAR-202210-1347",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-429567"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T10:54:59.381000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "F5 Nginx Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=237454"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-1419"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-787",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-429567"
},
{
"db": "NVD",
"id": "CVE-2022-41741"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://security.netapp.com/advisory/ntap-20230120-0005/"
},
{
"trust": 1.7,
"url": "https://www.debian.org/security/2022/dsa-5281"
},
{
"trust": 1.7,
"url": "https://support.f5.com/csp/article/k81926432"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/bprvya4fs34vwb4fefynad7z2lfcjvei/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/fd6m3pvvko35wlaa7gldbs6teq26sm64/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/wborrvg7vvxyoaiad64zhes2u2viukfq/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/wborrvg7vvxyoaiad64zhes2u2viukfq/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/fd6m3pvvko35wlaa7gldbs6teq26sm64/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/bprvya4fs34vwb4fefynad7z2lfcjvei/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169833/ubuntu-security-notice-usn-5722-1.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5959"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-41741/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169909/debian-security-advisory-5281-1.html"
},
{
"trust": 0.6,
"url": "http-mp4-module-39638"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/nginx-two-vulnerabilities-via-ngx-"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5236"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.6109"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41741"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/nginx"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41742"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5722-1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/nginx/1.14.0-0ubuntu1.11"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/nginx/1.18.0-6ubuntu14.3"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/nginx/1.18.0-0ubuntu1.4"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/nginx/1.22.0-1ubuntu1.1"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-429567"
},
{
"db": "PACKETSTORM",
"id": "169909"
},
{
"db": "PACKETSTORM",
"id": "169833"
},
{
"db": "NVD",
"id": "CVE-2022-41741"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-1419"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-429567"
},
{
"db": "PACKETSTORM",
"id": "169909"
},
{
"db": "PACKETSTORM",
"id": "169833"
},
{
"db": "NVD",
"id": "CVE-2022-41741"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-1419"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-10-19T00:00:00",
"db": "VULHUB",
"id": "VHN-429567"
},
{
"date": "2022-11-16T16:11:49",
"db": "PACKETSTORM",
"id": "169909"
},
{
"date": "2022-11-15T16:38:50",
"db": "PACKETSTORM",
"id": "169833"
},
{
"date": "2022-10-19T22:15:12.647000",
"db": "NVD",
"id": "CVE-2022-41741"
},
{
"date": "2022-10-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202210-1419"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-20T00:00:00",
"db": "VULHUB",
"id": "VHN-429567"
},
{
"date": "2023-11-07T03:52:58.060000",
"db": "NVD",
"id": "CVE-2022-41741"
},
{
"date": "2023-05-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202210-1419"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "PACKETSTORM",
"id": "169833"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-1419"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "F5 Nginx Buffer error vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-1419"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-1419"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.