CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
99.0%
A vulnerability in the nginx web server may allow remote attackers to execute arbitrary code on an affected system.
nginx is an HTTP server and mail proxy server that is available for a number of different platforms. A buffer underflow vulnerability exists in the ngx_http_parse_complex_uri()
function when handling specially crafted URIs. Exploitation of this vulnerability would cause the nginx server to write data contained in the URI to heap memory before the allocated buffer.
As with a number of other web servers, nginx is designed to operate with a single privileged master process and multiple unprivileged worker processes handling specific requests. A remote, unauthenticated attacker may be able to execute arbitrary code in the context of the worker process or cause the worker process to crash, resulting in a denial of service.
Upgrade or apply a patch
Updated versions of the nginx package have been released to address this issue. Users should consult the Systems Affected section of this document for information about specific vendors.
180065
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: September 05, 2009 Updated: September 14, 2009
Statement Date: September 14, 2009
Affected
We have not received a statement from the vendor.
Debian has published Debian Security Advisory DSA-1884 in response to this issue. Users are encouraged to review this advisory and apply the patches it describes.
Notified: September 05, 2009 Updated: September 21, 2009
Statement Date: September 18, 2009
Affected
We have not received a statement from the vendor.
The Gentoo Security Team has published Gentoo Linux Security Advisory GLSA 200909-18 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
Updated: September 15, 2009
Statement Date: September 05, 2009
Affected
We have not received a statement from the vendor.
The author of nginx has published the following updated versions of the software to address this issue:
* Development version: nginx-0.8.15, nginx/Windows-0.8.15, [change log](<http://nginx.net/CHANGES>)
* Stable version: nginx-0.7.62, nginx/Windows-0.7.62, [change log](<http://nginx.net/CHANGES-0.7>)
* Legacy stable version: nginx-0.6.39, [change log](<http://nginx.net/CHANGES-0.6>)
* Legacy version: nginx-0.5.38, [change log](<http://nginx.net/CHANGES-0.5>)
Users of nginx from the original distribution are encouraged to upgrade to one of these versions (or newer, as appropriate). The author has also published a to address this issue.
Notified: September 05, 2009 Updated: September 08, 2009
Statement Date: September 07, 2009
Not Affected
as far as I can see we never shipped the nginx web-server.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 09, 2009
Statement Date: September 08, 2009
Not Affected
Sun Products are not vulnerable, since nginx is not included in any supported Sun product offering. A vulnerable version of nginx is available as an unsupported component of WebStack project, which will be updated to fix this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 08, 2009
Statement Date: September 08, 2009
Not Affected
SCO does not ship this web server with any of its products and we are therefore not affected by this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 05, 2009 Updated: September 06, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 40 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 0 | AV:β/AC:β/Au:β/C:β/I:β/A:β |
Temporal | 0 | E:ND/RL:ND/RC:ND |
Environmental | 0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
Thanks to Chris Ries of the Carnegie Mellon University Information Security Office for reporting this vulnerability.
This document was written by Chad R Dougherty.
CVE IDs: | CVE-2009-2629 |
---|---|
Severity Metric: | 4.22 Date Public: |