CVE-2022-41741
19.10.2022, 22:15
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| f5 | nginx | 1.1.3 ≤ 𝑥 ≤ 1.22.0 |
| f5 | nginx | r22 ≤ 𝑥 ≤ r27 |
| f5 | nginx | 1.23.0 |
| f5 | nginx | 1.23.1 |
| f5 | nginx_ingress_controller | 1.9.0 ≤ 𝑥 ≤ 1.12.4 |
| f5 | nginx_ingress_controller | 2.0.0 ≤ 𝑥 ≤ 2.4.0 |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 11.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| nginx |
| ||||||||||||||||||
| nginx-source |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||
|---|---|---|---|
| nginx |
| ||
| nginx-all-modules |
| ||
| nginx-core |
| ||
| nginx-filesystem |
| ||
| nginx-mod-devel |
| ||
| nginx-mod-http-image-filter |
| ||
| nginx-mod-http-perl |
| ||
| nginx-mod-http-xslt-filter |
| ||
| nginx-mod-mail |
| ||
| nginx-mod-stream |
|
Common Weakness Enumeration
References