7.1

CVE-2022-41742

EPSS 0.07%
Published 19.10.2022 22:15:12
Last modified 21.11.2024 07:23:46
Source f5sirt@f5.com
Teams watchlist Login
Open Login

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.

Affected products Warnungen 0 Metrics 3 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

F5 ≫ Nginx SwEditionopen_source Version >= 1.1.3 <= 1.22.0

F5 ≫ Nginx SwEditionplus Version >= r22 <= r27

F5 ≫ Nginx Version1.23.0 SwEditionopen_source

F5 ≫ Nginx Version1.23.1 SwEditionopen_source

F5 ≫ Nginx Versionr1 SwEditionopen_source_subscription

F5 ≫ Nginx Versionr2 SwEditionopen_source_subscription

F5 ≫ Nginx Ingress Controller Version >= 1.9.0 <= 1.12.4

F5 ≫ Nginx Ingress Controller Version >= 2.0.0 <= 2.4.0

Fedoraproject ≫ Fedora Version35

Fedoraproject ≫ Fedora Version36

Fedoraproject ≫ Fedora Version37

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.07%	0.223

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.1	1.8	5.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
f5sirt@f5.com	7.1	1.8	5.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPRVYA4FS34VWB4FEFYNAD7Z2LFCJVEI/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FD6M3PVVKO35WLAA7GLDBS6TEQ26SM64/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WBORRVG7VVXYOAIAD64ZHES2U2VIUKFQ/

https://security.netapp.com/advisory/ntap-20230120-0005/

Third Party Advisory

https://www.debian.org/security/2022/dsa-5281

Third Party Advisory

https://support.f5.com/csp/article/K28112382

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2022-41742

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-41742

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-41742

EUVD