PT-2017-4158 · Nginx+2 · Nginx+2

Jamie Landeg-Jones

Publicado

2017-08-28

Atualizado

2025-12-05

CVE-2017-20005

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions NGINX versions prior to 1.13.6

Description The issue is related to the autoindex module's incorrect handling of years exceeding four digits, which can cause an integer overflow. This can be triggered by a file with a modification date in the distant past or future. The exploitation of this issue may allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service.

Recommendations For NGINX versions prior to 1.13.6, update to version 1.13.6 or later to resolve the issue. As a temporary workaround, consider disabling the autoindex module until a patch is available. Restrict access to the autoindex module to minimize the risk of exploitation.

Exploit

Correção

Integer Overflow

Buffer Overflow

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-190CWE-120

Identificadores relacionados

ALT-PU-2018-1866

BDU:2021-04615

CVE-2017-20005

DLA-2680-1

USN-5109-1

Produtos afetados

Alt Linux

Nginx

Ubuntu

PT-2017-4158 · Nginx+2 · Nginx+2

CVE-2017-20005

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 29