PT-2024-3972 · Nginx+1 · Nginx Plus+3
Nils Bars
·
Published
2024-05-29
·
Updated
2026-04-01
·
CVE-2024-31079
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
NGINX Plus (affected versions not specified)
NGINX OSS (affected versions not specified)
Description
The issue is related to a buffer overflow in the stack of the HTTP/3 QUIC module (ngx http v3 module) in NGINX Plus and NGINX OSS. This can be exploited by a remote attacker using specially crafted HTTP/3 requests, potentially causing denial of service or other impact. The attack requires specific timing during the connection draining process, which is difficult for the attacker to control.
Recommendations
For NGINX Plus, consider disabling the HTTP/3 QUIC module until a patch is available.
For NGINX OSS, consider disabling the HTTP/3 QUIC module until a patch is available.
As a temporary workaround, restrict access to the
ngx http v3 module to minimize the risk of exploitation.Fix
Memory Corruption
Stack Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nginx Oss
Nginx Plus
Nginx
Red Os