CVE-2024-24990

CWE-416Use After Free7 documents7 sources
Severity
7.5HIGH
EPSS
0.2%
top 60.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
F5 Nginx Open SourceF5 Nginx Plus
Timeline
PublishedFeb 14

Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

CVEListV5f5/nginx_plusR31R31 P1+1
NVDf5/nginx_plusr30, r31+1
CVEListV5f5/nginx_open_source1.25.01.25.4
NVDf5/nginx_open_source1.25.01.25.4
Debiannginx< 1.26.0-1+1

🔴Vulnerability Details

3
OSV
CVE-2024-24990: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate2024-02-14
GHSA
GHSA-38gr-cjjp-3f5w: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate2024-02-14
CVEList
NGINX HTTP/3 QUIC vulnerability2024-02-14

📋Vendor Advisories

3
F5
CVE-2024-24990: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worke...2024-02-14
Red Hat
nginx: Use-after-free in HTTP/32024-02-14
Debian
CVE-2024-24990: nginx - When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undis...2024