CVE ID: CVE-2021-23017
Assigner: f5
Date Published: 2021-06-01T12:28:09
Affected Products:
- n/a Nginx Web Server
A security issue in nginx resolver was identified
, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact. .
CVE ID: CVE-2017-7529
Assigner: redhat
Date Published: 2017-07-11T00:00:00
Affected Products:
- nginx nginx: From (including) 0.5.6 - 1.13.2
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
.
CVE ID: CVE-2016-1247
Assigner: debian
Date Published: 2016-11-29T17:00:00
Affected Products:
- n/a n/a: From (including) n/a
The nginx package before 1.6.2-5+deb8u3 on Debian jessie
, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before 1.10.1-0ubuntu1.1 on Ubuntu 16.10, and the nginx ebuild before 1.10.2-r3 on Gentoo allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log. .
CVE ID: CVE-2019-7401
Assigner: mitre
Date Published: 2019-02-08T03:00:00
Affected Products:
- n/a n/a: From (including) n/a
NGINX Unit before 1.7.1 might allow an attacker to cause a heap-based buffer overflow in the router process with a specially crafted request
. This may result in a denial of service (router process crash) or possibly have unspecified other impact. .
CVE ID: CVE-2020-5901
Assigner: f5
Date Published: 2020-07-01T14:03:33
Affected Products:
- n/a NGINX Controller: From (including) 3.3.0-3.4.0
In NGINX Controller 3.3.0-3.4.0
, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system. .
CVE ID: CVE-2021-23019
Assigner: f5
Date Published: 2021-06-01T12:03:42
Affected Products:
- n/a Nginx Controller: From (including) “2.0.0 thru 2.9.0” and “3.x before 3.15.0”
The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package.
.
CVE ID: CVE-2020-21699
Assigner: mitre
Date Published: 2023-08-22T00:00:00
Affected Products:
- n/a n/a: From (including) n/a
The web server Tengine 2.2.2 developed in the Nginx version from 0.5.6 thru 1.13.2 is vulnerable to an integer overflow vulnerability in the nginx range filter module
, resulting in the leakage of potentially sensitive information triggered by specially crafted requests. .
CVE ID: CVE-2019-20372
Assigner: mitre
Date Published: 2020-01-09T20:05:38
Affected Products:
- n/a n/a: From (including) n/a
NGINX before 1.17.7
, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. .
CVE ID: CVE-2012-1180
Assigner: redhat
Date Published: 2012-04-17T21:00:00
Affected Products:
- n/a n/a: From (including) n/a
Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response
, in conjunction with a client request. .
CVE ID: CVE-2021-23018
Assigner: f5
Date Published: 2021-06-01T11:51:20
Affected Products:
- n/a Nginx Controller: From (including) "3.x before 3.4.0"
Intra-cluster communication does not use TLS
. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster. .