CVE-2017-20005

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions NGINX versions prior to 1.13.6

Description The issue is related to the autoindex module's incorrect handling of years exceeding four digits, which can cause an integer overflow. This can be triggered by a file with a modification date in the distant past or future. The exploitation of this issue may allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service.

Recommendations For NGINX versions prior to 1.13.6, update to version 1.13.6 or later to resolve the issue. As a temporary workaround, consider disabling the autoindex module until a patch is available. Restrict access to the autoindex module to minimize the risk of exploitation.

Exploit

Fix

Integer Overflow

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190CWE-120

Related Identifiers

ALT-PU-2018-1866

BDU:2021-04615

CVE-2017-20005

DLA-2680-1

USN-5109-1

Affected Products

Alt Linux

Nginx

Ubuntu

CVE-2017-20005

Weakness Enumeration

Related Identifiers

Affected Products

References · 29