NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | nginx | 2023-01-18 20:56 | ALAS-2023-1665 |
Amazon Linux 2 - Nginx1 Extra | nginx | 2023-08-07 06:17 | ALAS2NGINX1-2023-001 |
Amazon Linux 2023 | nginx | 2023-02-17 20:47 | ALAS2023-2023-090 |
Amazon Linux 2023 | nginx | 2023-02-17 20:48 | ALAS2023-2023-099 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
NVD | CVSSv3 | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |