Описание
ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| libnginx-mod-http-lua | not-affected | package | ||
| nginx | fixed | 1.22.0-3 | package | |
| nginx | ignored | buster | package | |
| nginx | postponed | stretch | package |
Примечания
https://news.ycombinator.com/item?id=26709159
https://robertchen.cc/blog/2021/04/03/github-pages-xss
https://github.com/openresty/lua-nginx-module/pull/1654
src:nginx/1.22.0-3 removed the http-lua module and moved it to a separate package
EPSS
Связанные уязвимости
ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.
ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.
ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.
EPSS