CVE-2024-24989

CWE-476 — NULL Pointer Dereference7 documents7 sources

Severity

7.5HIGH

EPSS

0.6%

top 29.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx Open Source F5 Nginx Plus

Timeline

PublishedFeb 14

Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5f5/nginx_plusR31 — R31 P1

▶NVDf5/nginx_plusr31

▶CVEListV5f5/nginx_open_source1.25.3 — 1.25.4

▶Debiannginx< 1.26.0-1+1

▶NVDf5/nginx_open_source1.25.3

🔴Vulnerability Details

CVEList

NGINX HTTP/3 QUIC vulnerability↗2024-02-14

▶

OSV

CVE-2024-24989: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate↗2024-02-14

▶

GHSA

GHSA-m46h-9pv9-w5xp: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate↗2024-02-14

▶

📋Vendor Advisories

CVE-2024-24989: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worke...↗2024-02-14

▶

Red Hat

nginx: NULL pointer dereference in HTTP/3↗2024-02-14

▶

Debian

CVE-2024-24989: nginx - When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undis...↗2024

▶