Updated: 2025-01-22 22:57:24.904694
Description:
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0 | |
| CVSS Version 3.x | MEDIUM | 4.7 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | nginx | 1.20.1 | 4.7 | MEDIUM | Released | CLSA-2025:1744633827 | 2025-04-15 03:59:34 | |
| Ubuntu 16.04 ELS | nginx | 1.10.3-0 | 4.7 | MEDIUM | Released | CLSA-2024:1730478623 | 2024-11-01 14:28:45 | |
| Ubuntu 18.04 ELS | nginx | 1.14.0-0 | 4.7 | MEDIUM | Released | CLSA-2024:1730479989 | 2024-11-01 14:28:47 |