CVE-2017-20005

CWE-190 — Integer Overflow CWE-120 — Classic Buffer Overflow CWE-119 — Buffer Overflow7 documents7 sources

Severity

9.8CRITICAL

EPSS

3.3%

top 12.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx Debian Debian Linux

Timeline

PublishedJun 6

Latest updateMay 24

Description

NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDf5/nginx< 1.13.6

▶Debiannginx< 1.13.6-1+3

Also affects: Debian Linux 9.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: trac.nginx.org ↗

🔴Vulnerability Details

GHSA

GHSA-6g54-r3q8-8jvq: NGINX before 1↗2022-05-24

▶

CVEList

CVE-2017-20005: NGINX before 1↗2021-06-06

▶

OSV

CVE-2017-20005: NGINX before 1↗2021-06-06

▶

📋Vendor Advisories

Ubuntu

nginx vulnerability↗2021-10-18

▶

Red Hat

nginx: buffer overflow in ngx_gmtime() triggered by 5 digit years↗2017-09-13

▶

Debian

CVE-2017-20005: nginx - NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as ...↗2017

▶