NGINX Open Source prior to 1.23.2 and 1.22.1, NGINX Open Source Subscription prior to R2 P1 and R1 P1, and NGINX Plus prior to R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local malicious user to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
f5 nginx |
||
f5 nginx 1.23.0 |
||
f5 nginx 1.23.1 |
||
f5 nginx r1 |
||
f5 nginx r2 |
||
f5 nginx ingress controller |
||
fedoraproject fedora 35 |
||
fedoraproject fedora 36 |
||
fedoraproject fedora 37 |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |