CVE-2024-32760

CWE-787 — Out-of-bounds Write8 documents8 sources

Severity

6.5MEDIUM

EPSS

0.5%

top 34.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx Open Source F5 Nginx Plus Fedoraproject Fedora

Timeline

PublishedMay 29

Latest updateOct 15

Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages5 packages

▶CVEListV5f5/nginx_plusR30 — R32

▶NVDf5/nginx_plusr30, r31+1

▶CVEListV5f5/nginx_open_source1.25.0 — 1.26.1

▶NVDf5/nginx_open_source1.25.0 — 1.26.1

▶Debiannginx< 1.26.0-2+1

Also affects: Fedora 39, 40

🔴Vulnerability Details

CVEList

NGINX HTTP/3 QUIC vulnerability↗2024-05-29

▶

OSV

CVE-2024-32760: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to↗2024-05-29

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Mediation Engine (nginx) — CVE-2024-32760↗2024-10-15

▶

Red Hat

nginx: undisclosed HTTP/3 encoder instructions terminate or cause or other potential impact↗2024-05-29

▶

CVE-2024-32760: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions ca...↗2024-05-29

▶

Debian

CVE-2024-32760: nginx - When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undis...↗2024

▶

💬Community

HackerOne

CVE-2024-32760 in nginx↗2024-07-01

▶