CVE-2022-41742

Name of the Vulnerable Software and Affected Versions NGINX Open Source versions 1.23.2 and earlier, excluding version 1.22.1 and later NGINX Open Source versions 1.22.1 and earlier NGINX Open Source Subscription before versions R2 P1 and R1 P1 NGINX Plus before versions R27 P1 and R26 P1

Description The issue affects NGINX products built with the module ngx http mp4 module when the mp4 directive is used in the configuration file. A local attacker might cause a worker process crash or result in worker process memory disclosure by using a specially crafted audio or video file. The attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx http mp4 module. This might allow an attacker to disclose protected information or cause a denial of service.

Recommendations For NGINX Open Source versions 1.23.2 and earlier, excluding version 1.22.1 and later: Update to version 1.23.2 or later. For NGINX Open Source versions 1.22.1 and earlier: Update to version 1.22.1 or later. For NGINX Open Source Subscription before versions R2 P1 and R1 P1: Update to version R2 P1 or R1 P1 or later. For NGINX Plus before versions R27 P1 and R26 P1: Update to version R27 P1 or R26 P1 or later. As a temporary workaround, consider disabling the ngx http mp4 module module until a patch is available. Restrict access to the mp4 directive in the configuration file to minimize the risk of exploitation. Avoid using the mp4 directive in the configuration file until the issue is resolved.