Published: 19/10/2022 Updated: 07/11/2023

CVSS v3 Base Score: 7.1 | Impact Score: 5.2 | Exploitability Score: 1.8

VMScore: 0

NGINX Open Source prior to 1.23.2 and 1.22.1, NGINX Open Source Subscription prior to R2 P1 and R1 P1, and NGINX Plus prior to R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local malicious user to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.

Vulnerable Product	Search on Vulmon	Subscribe to Product
f5 nginx ingress controller
f5 nginx
f5 nginx 1.23.1
f5 nginx 1.23.0
f5 nginx r2
f5 nginx r1
fedoraproject fedora 35
fedoraproject fedora 36
fedoraproject fedora 37
debian debian linux 10.0
debian debian linux 11.0

Several security issues were fixed in nginx ...

It was discovered that parsing errors in the mp4 module of Nginx, a high-performance web and reverse proxy server, could result in denial of service, memory disclosure or potentially the execution of arbitrary code when processing a malformed mp4 file This module is only enabled in the nginx-extras binary package For the stable distribution (bull ...

NGINX Open Source before versions 1232 and 1221, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a ...

DescriptionThe MITRE CVE dictionary describes this issue as: NGINX Open Source before versions 1232 and 1221, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, o ...

NGINX Open Source before versions 1232 and 1221, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a ...

CWE-787 https://support.f5.com/csp/article/K28112382 https://www.debian.org/security/2022/dsa-5281 https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html https://security.netapp.com/advisory/ntap-20230120-0005/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPRVYA4FS34VWB4FEFYNAD7Z2LFCJVEI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FD6M3PVVKO35WLAA7GLDBS6TEQ26SM64/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WBORRVG7VVXYOAIAD64ZHES2U2VIUKFQ/https://ubuntu.com/security/notices/USN-5722-1 https://nvd.nist.gov https://www.debian.org/security/2022/dsa-5281

CVE-2022-41742

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect