CVE-2024-7347

Name of the Vulnerable Software and Affected Versions NGINX Open Source and NGINX Plus versions prior to 1.26.2 NGINX Open Source and NGINX Plus versions prior to 1.27.1

Description The issue is related to a buffer overread vulnerability in the ngx http mp4 module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx http mp4 module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx http mp4 module.

Recommendations For NGINX Open Source and NGINX Plus versions prior to 1.26.2, update to version 1.26.2 or later. For NGINX Open Source and NGINX Plus versions prior to 1.27.1, update to version 1.27.1 or later. As a temporary workaround, consider disabling the ngx http mp4 module until a patch is available. Restrict access to the mp4 directive in the configuration file to minimize the risk of exploitation. Avoid using specially crafted mp4 files that can trigger the processing of the ngx http mp4 module until the issue is resolved.