{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-32760", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2024-05-14T16:31:57.498Z", "datePublished": "2024-05-29T16:02:04.985Z", "dateUpdated": "2025-02-13T17:52:17.693Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["HTTP/3"], "product": "NGINX Open Source", "vendor": "F5", "versions": [{"lessThan": "1.26.1", "status": "affected", "version": "1.25.0", "versionType": "semver"}]}, {"defaultStatus": "unknown", "modules": ["HTTP/3"], "product": "NGINX Plus", "vendor": "F5", "versions": [{"lessThan": "R32", "status": "affected", "version": "R30", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "F5 acknowledges Nils Bars of CISPA for bringing this issue to our attention and following the highest standards of coordinated disclosure."}], "datePublic": "2024-05-29T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact."}], "value": "When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2024-06-10T16:07:55.891Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://my.f5.com/manage/s/article/K000139609"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/30/4"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/"}], "source": {"discovery": "EXTERNAL"}, "title": "NGINX HTTP/3 QUIC vulnerability", "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"affected": [{"vendor": "f5", "product": "nginx_plus", "cpes": ["cpe:2.3:a:f5:nginx_plus:r30:-:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "r30", "status": "affected", "lessThanOrEqual": "r31", "versionType": "custom"}]}, {"vendor": "f5", "product": "nginx", "cpes": ["cpe:2.3:a:f5:nginx:1.25.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.25.0", "status": "affected", "lessThanOrEqual": "1.26.0", "versionType": "custom"}]}, {"vendor": "fedoraproject", "product": "fedora", "cpes": ["cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "39", "status": "affected"}]}, {"vendor": "fedoraproject", "product": "fedora", "cpes": ["cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "40", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-29T18:25:43.593460Z", "id": "CVE-2024-32760", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T20:52:45.607Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.272Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://my.f5.com/manage/s/article/K000139609"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/30/4", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://my.f5.com/manage/s/article/K000139609", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/30/4", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.272Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32760", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-29T18:25:43.593460Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:f5:nginx_plus:r30:-:*:*:*:*:*:*"], "vendor": "f5", "product": "nginx_plus", "versions": [{"status": "affected", "version": "r30", "versionType": "custom", "lessThanOrEqual": "r31"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:f5:nginx:1.25.0:*:*:*:*:*:*:*"], "vendor": "f5", "product": "nginx", "versions": [{"status": "affected", "version": "1.25.0", "versionType": "custom", "lessThanOrEqual": "1.26.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*"], "vendor": "fedoraproject", "product": "fedora", "versions": [{"status": "affected", "version": "39"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*"], "vendor": "fedoraproject", "product": "fedora", "versions": [{"status": "affected", "version": "40"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-29T18:27:58.232Z"}}], "cna": {"title": "NGINX HTTP/3 QUIC vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "F5 acknowledges Nils Bars of CISPA for bringing this issue to our attention and following the highest standards of coordinated disclosure."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "F5", "modules": ["HTTP/3"], "product": "NGINX Open Source", "versions": [{"status": "affected", "version": "1.25.0", "lessThan": "1.26.1", "versionType": "semver"}], "defaultStatus": "unknown"}, {"vendor": "F5", "modules": ["HTTP/3"], "product": "NGINX Plus", "versions": [{"status": "affected", "version": "R30", "lessThan": "R32", "versionType": "custom"}], "defaultStatus": "unknown"}], "datePublic": "2024-05-29T14:00:00.000Z", "references": [{"url": "https://my.f5.com/manage/s/article/K000139609", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/30/4"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/"}], "x_generator": {"engine": "F5 SIRTBot v1.0"}, "descriptions": [{"lang": "en", "value": "When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.", "supportingMedia": [{"type": "text/html", "value": "When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2024-06-10T16:07:55.891Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32760", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:52:17.693Z", "dateReserved": "2024-05-14T16:31:57.498Z", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "datePublished": "2024-05-29T16:02:04.985Z", "assignerShortName": "f5"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA79B55D-E494-4961-81C6-80363BE46FE0", "versionEndExcluding": "1.26.1", "versionStartIncluding": "1.25.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r30:-:*:*:*:*:*:*", "matchCriteriaId": "96BF2B19-52C7-4051-BA58-CAE6F912B72F", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r30:p1:*:*:*:*:*:*", "matchCriteriaId": "4EBEC829-7EED-487E-974D-BBA704DFBF0A", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r30:p2:*:*:*:*:*:*", "matchCriteriaId": "D0648596-D1F5-4A7A-B7F8-104E3AF26317", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r31:-:*:*:*:*:*:*", "matchCriteriaId": "8248517E-D805-4928-8252-2168472341EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r31:p1:*:*:*:*:*:*", "matchCriteriaId": "9D5BB4C0-B862-4CDD-AA54-1BC1BDF27005", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact."}, {"lang": "es", "value": "Cuando NGINX Plus o NGINX OSS est\u00e1n configurados para usar el m\u00f3dulo HTTP/3 QUIC, las instrucciones del codificador HTTP/3 no divulgadas pueden hacer que los procesos de trabajo de NGINX finalicen o causen otro impacto potencial."}], "id": "CVE-2024-32760", "lastModified": "2025-01-24T16:21:55.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "f5sirt@f5.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-29T16:15:10.043", "references": [{"source": "f5sirt@f5.com", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/05/30/4"}, {"source": "f5sirt@f5.com", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/"}, {"source": "f5sirt@f5.com", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/"}, {"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000139609"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/05/30/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000139609"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "f5sirt@f5.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "nginx: undisclosed HTTP/3 encoder instructions terminate or cause or other potential impact", "id": "2283933", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2283933"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.", "A flaw was found in the nginx HTTP/3 implementation. Undisclosed HTTP/3 encoder instructions can trigger an out-of-bounds write error, causing worker processes to crash, leading to a denial of service or other potential impacts."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-32760", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "nginx", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nginx:1.22/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nginx:1.22/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nginx118-nginx", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nginx120-nginx", "product_name": "Red Hat Software Collections"}], "public_date": "2024-05-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-32760\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-32760\nhttps://my.f5.com/manage/s/article/K000139609"], "statement": "As this flaw allows a remote attacker to cause a denial of service, it has been rated with an important severity.\nThe nginx package as shipped in Red Hat Enterprise Linux 8, 9 and RHSCL is not affected by this vulnerability because the support for HTTP/3 is not enabled and the vulnerable code was introduced in a later version of nginx.", "threat_severity": "Important", "upstream_fix": "nginx 1.26.1, nginx 1.27.0"}