PT-2018-2563 · Nginx+4 · Nginx+4

Sam Fowler

·

Published

2018-11-06

·

Updated

2026-04-21

·

CVE-2018-16845

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Name of the Vulnerable Software and Affected Versions nginx versions 1.15.6 and earlier, 1.14.1 and earlier
Description The issue is related to the ngx http mp4 module in nginx, which might allow an attacker to cause an infinite loop in a worker process, cause a worker process crash, or result in worker process memory disclosure by using a specially crafted mp4 file. The attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx http mp4 module and if the module is built and the .mp4 directive is used in the configuration file.
Recommendations For versions prior to 1.15.6 and 1.14.1, update to version 1.21.0 or later to resolve the issue. As a temporary workaround, consider disabling the ngx http mp4 module until a patch is available. Restrict access to the .mp4 directive in the configuration file to minimize the risk of exploitation. Avoid using the ngx http mp4 module to process mp4 files until the issue is resolved.

Fix

Resource Exhaustion

Infinite Loop

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-835CWE-200

Related Identifiers

ALT-PU-2018-2601
ALT-PU-2019-2600
ALT-PU-2019-2823
BDU:2019-00984
CLEANSTART-2026-AF45008
CLEANSTART-2026-BA37192
CLEANSTART-2026-MQ02912
CLEANSTART-2026-XB16901
CLEANSTART-2026-ZN32454
CLEANSTART-2026-ZT77083
CVE-2018-16845
DLA-1572-1
DSA-4335-1
MGASA-2018-0459
OPENSUSE-SU-2019:0195-1
OPENSUSE-SU-2019:2120-1
OPENSUSE-SU-2019_0195-1
OPENSUSE-SU-2019_2120-1
OPENSUSE-SU-2024:11092-1
RHSA-2018:3652
RHSA-2018:3653
RHSA-2018:3680
RHSA-2018:3681
SUSE-SU-2019:0334-1
SUSE-SU-2019:2309-1
USN-3812-1

Affected Products

Alt Linux
Apple Macos
Nginx
Suse
Ubuntu