发布时间: 2024年8月30日
修改时间: 2024年9月6日
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
| NVD | openEuler | |
|---|---|---|
| CVSS评分 | 5.7 | 4.7 |
| Attack Vector | Local | Local |
| Attack Complexity | High | High |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Scope | Unchanged | |
| Confidentiality | None | |
| Integrity | None | |
| Availability | High |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2024-3584 | nginx security update | 2024年9月6日 |
| KylinSec-SA-2024-3856 | nginx security update | 2024年9月6日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-5A | nginx | Fixed |
| KY3.5.2 | nginx | Fixed |
| V6 | nginx | Fixed |
