Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-35200

Опубликовано: 29 мая 2024
Источник: redhat
CVSS3: 7.5

Описание

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.

A flaw was found in the nginx HTTP/3 implementation. This issue may allow an attacker using a specially crafted QUIC session to trigger a NULL pointer dereference error, causing worker processes to crash and lead to a denial of service.

Отчет

As this flaw allows a remote attacker to cause a denial of service, it has been rated with an important severity. The nginx package as shipped in Red Hat Enterprise Linux 8, 9 and RHSCL is not affected by this vulnerability because the support for HTTP/3 is not enabled and the vulnerable code was introduced in a later version of nginx.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 1.2nginxNot affected
Red Hat Enterprise Linux 8nginx:1.22/nginxNot affected
Red Hat Enterprise Linux 8nginx:1.24/nginxNot affected
Red Hat Enterprise Linux 9nginxNot affected
Red Hat Enterprise Linux 9nginx:1.22/nginxNot affected
Red Hat Enterprise Linux 9nginx:1.24/nginxNot affected
Red Hat Software Collectionsrh-nginx118-nginxNot affected
Red Hat Software Collectionsrh-nginx120-nginxNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-476
https://bugzilla.redhat.com/show_bug.cgi?id=2283919nginx: undisclosed HTTP/3 requests can cause NGINX worker processes to terminate

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-35200

CVSS3: 5.3
ubuntu
около 1 года назад

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.

nvd логотип

CVE-2024-35200

CVSS3: 5.3
nvd
около 1 года назад

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.

debian логотип

CVE-2024-35200

CVSS3: 5.3
debian
около 1 года назад

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC mod ...

fstec логотип

BDU:2024-04389

CVSS3: 7.5
fstec
около 1 года назад

Уязвимость модуля HTTP/3 QUIC (ngx_http_v3_module) веб-серверов NGINX Plus и NGINX OSS, позволяющая нарушителю вызвать отказ в обслуживании

redos логотип

ROS-20240725-01

CVSS3: 7.5
redos
11 месяцев назад

Множественные уязвимости nginx

7.5 High

CVSS3