1. Home
  2. Vulnerabilities
  3. CVE-2024-7347

CVE-2024-7347

CVSS v4.0 5.7 (Medium)
57% Progress
CVSS v3.1 4.7 (Medium)
47% Progress
EPSS 0.04 % (13th)
0.04% Progress
Affected Products 2
Advisories 5
NVD Status Analyzed
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Weaknesses
CWE-125
Out-of-bounds Read
CWE-126
Buffer Over-read
CVE Status
PUBLISHED
NVD Status
Analyzed
CNA
F5 Networks
Published Date
2024-08-14 15:15:31
(4 weeks ago)
Updated Date
2024-08-20 19:25:17
(3 weeks ago)

Affected Products

F5

Configuration #1

    CPE23 From Up To
  F5 Nginx Open Source from 1.5.13 version and prior 1.26.2 version cpe:2.3:a:f5:nginx_open_source >= 1.5.13 < 1.26.2
  F5 Nginx Plus from r27 version and prior r31 version cpe:2.3:a:f5:nginx_plus >= r27 < r31
  F5 Nginx Plus R31 cpe:2.3:a:f5:nginx_plus:r31:-
  F5 Nginx Plus R31 P1 cpe:2.3:a:f5:nginx_plus:r31:p1
  F5 Nginx Plus R32 cpe:2.3:a:f5:nginx_plus:r32:-