Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-2629 — Out-of-bounds Write in F5 Nginx

CWE-787 — Out-of-bounds Write8 documents8 sources

Severity

7.5HIGHNVD

EPSS

78.1%

top 0.98%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

F5 Nginx Debian Linux Fedoraproject Fedora

Timeline

PublishedSep 15

Latest updateMay 2

Description

Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDf5/nginx0.1.0 — 0.5.38+3

▶Debianf5/nginx< 0.7.61-3+3

Also affects: Debian Linux 4.0, 5.0, 6.0, Fedora 10, 11, 12

🔴Vulnerability Details

GHSA

GHSA-f36r-j88j-6j27: Buffer underflow in src/http/ngx_http_parse↗2022-05-02

▶

CVEList

CVE-2009-2629: Buffer underflow in src/http/ngx_http_parse↗2009-09-15

▶

OSV

CVE-2009-2629: Buffer underflow in src/http/ngx_http_parse↗2009-09-15

▶

💥Exploits & PoCs

Exploit-DB

Nginx 0.6.38 - Heap Corruption↗2010-08-29

▶

📋Vendor Advisories

Red Hat

nginx: ngx_http_parse_complex_uri() buffer underflow vulnerability (VU#180065)↗2009-09-14

▶

Debian

CVE-2009-2629: nginx - Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6...↗2009

▶

💬Community

Bugzilla

CVE-2009-2629 nginx: ngx_http_parse_complex_uri() buffer underflow vulnerability (VU#180065)↗2009-09-14

▶