CVE-2024-24989 NGINX HTTP/3 QUIC vulnerability

2024-02-1416:30:26

CWE-476

www.cve.org

nginx plus

nginx oss

http/3 quic

vulnerability

worker processes

termination

experimental

support

eots

security

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

9.0%

JSON

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .

NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "modules": [
      "HTTP/3",
      "QUIC"
    ],
    "product": "NGINX Plus",
    "vendor": "F5",
    "versions": [
      {
        "lessThan": "R31 P1",
        "status": "affected",
        "version": "R31",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unknown",
    "modules": [
      "HTTP/3",
      "QUIC"
    ],
    "product": "NGINX Open Source",
    "vendor": "F5",
    "versions": [
      {
        "lessThan": "1.25.4",
        "status": "affected",
        "version": "1.25.3",
        "versionType": "semver"
      }
    ]
  }
]