{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-24990", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2024-02-02T00:32:55.375Z", "datePublished": "2024-02-14T16:30:26.445Z", "dateUpdated": "2025-02-13T17:40:43.783Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["HTTP/3", "QUIC"], "product": "NGINX Plus", "vendor": "F5", "versions": [{"lessThan": "R31 P1", "status": "affected", "version": "R31", "versionType": "custom"}, {"lessThan": "R30 P2", "status": "affected", "version": "R30", "versionType": "custom"}]}, {"defaultStatus": "unknown", "modules": ["HTTP/3", "QUIC"], "product": "NGINX Open Source", "vendor": "F5", "versions": [{"lessThan": "1.25.4", "status": "affected", "version": "1.25.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "F5"}], "datePublic": "2024-02-14T15:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.</p><p><strong>Note</strong>: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://nginx.org/en/docs/quic.html\">Support for QUIC and HTTP/3</a>.</p>\n\n \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated"}], "value": "When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.\n\nNote: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .\n\n\n\n \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2024-06-10T16:14:53.733Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://my.f5.com/manage/s/article/K000138445"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/30/4"}], "source": {"discovery": "INTERNAL"}, "title": "NGINX HTTP/3 QUIC vulnerability", "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:36:21.362Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://my.f5.com/manage/s/article/K000138445"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/30/4", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F1D106D-58A7-4CF4-95CD-5B36A8D54F2C", "versionEndExcluding": "1.25.4", "versionStartIncluding": "1.25.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r30:-:*:*:*:*:*:*", "matchCriteriaId": "96BF2B19-52C7-4051-BA58-CAE6F912B72F", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r30:p1:*:*:*:*:*:*", "matchCriteriaId": "4EBEC829-7EED-487E-974D-BBA704DFBF0A", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r31:-:*:*:*:*:*:*", "matchCriteriaId": "8248517E-D805-4928-8252-2168472341EF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.\n\nNote: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .\n\n\n\n \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated"}, {"lang": "es", "value": "Cuando NGINX Plus o NGINX OSS est\u00e1n configurados para usar el m\u00f3dulo HTTP/3 QUIC, las solicitudes no divulgadas pueden hacer que los procesos de trabajo de NGINX finalicen. Nota: El m\u00f3dulo HTTP/3 QUIC no est\u00e1 habilitado de forma predeterminada y se considera experimental. Para obtener m\u00e1s informaci\u00f3n, consulte Compatibilidad con QUIC y HTTP/3 https://nginx.org/en/docs/quic.html. Nota: Las versiones de software que han llegado al final del soporte t\u00e9cnico (EoTS) no se eval\u00faan"}], "id": "CVE-2024-24990", "lastModified": "2025-02-13T18:17:12.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "f5sirt@f5.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-14T17:15:15.713", "references": [{"source": "f5sirt@f5.com", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/05/30/4"}, {"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000138445"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/05/30/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000138445"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "f5sirt@f5.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "nginx: Use-after-free in HTTP/3", "id": "2264298", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264298"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.\nNote: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated", "A flaw was found in the nginx HTTP/3 implementation. This issue may allow an attacker to use a specially crafted QUIC session to trigger a use-after-free condition, causing a worker process to crash, leading to a denial of service."], "name": "CVE-2024-24990", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "nginx", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nginx:1.22/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nginx:1.22/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nginx118-nginx", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nginx120-nginx", "product_name": "Red Hat Software Collections"}], "public_date": "2024-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-24990\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-24990\nhttps://mailman.nginx.org/pipermail/nginx-announce/2024/NW6MNW34VZ6HDIHH5YFBIJYZJN7FGNAV.html"], "statement": "The nginx package as shipped in Red Hat Enterprise Linux 8, 9 and RHSCL is not affected by this vulnerability because support for HTTP3 is not enabled and the vulnerable code was introduced in a newer version of nginx.", "threat_severity": "Important", "upstream_fix": "nginx 1.25.4"}