CVE-2020-36309 — Lua-nginx-module vulnerability

9 documents6 sources

Severity

5.3MEDIUMNVD

OSV7.5

EPSS

0.4%

top 37.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx Openresty Lua-nginx-module

Timeline

PublishedApr 6

Latest updateOct 7

Description

ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDopenresty/lua-nginx-module< 0.10.16

▶Debianf5/nginx< 1.18.0-6.1+deb11u5+3

▶Ubuntuf5/nginx< 1.14.0-0ubuntu1.10+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

nginx vulnerability↗2022-10-07

▶

GHSA

GHSA-j8m6-95xp-pmp6: ngx_http_lua_module (aka lua-nginx-module) before 0↗2022-05-24

▶

OSV

nginx vulnerability↗2022-04-28

▶

OSV

nginx vulnerabilities↗2022-04-12

▶

CVEList

CVE-2020-36309: ngx_http_lua_module (aka lua-nginx-module) before 0↗2021-04-06

▶

📋Vendor Advisories

Ubuntu

nginx vulnerabilities↗2022-04-12

▶

Debian

CVE-2020-36309: libnginx-mod-http-lua - ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows un...↗2020

▶