Filtered by vendor F5 Subscriptions
Filtered by product Nginx Open Source Subscriptions
Total 8 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-53859 2 F5, Nginx 3 Nginx Open Source, Nginx Plus, Nginx 2025-08-16 3.7 Low
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2024-24989 1 F5 2 Nginx Open Source, Nginx Plus 2025-05-12 7.5 High
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVE-2024-24990 1 F5 2 Nginx Open Source, Nginx Plus 2025-05-08 7.5 High
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVE-2024-35200 2 F5, Fedoraproject 4 Nginx, Nginx Open Source, Nginx Plus and 1 more 2025-02-13 5.3 Medium
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.
CVE-2024-34161 2 F5, Fedoraproject 4 Nginx, Nginx Open Source, Nginx Plus and 1 more 2025-02-13 5.3 Medium
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.
CVE-2024-32760 2 F5, Fedoraproject 4 Nginx, Nginx Open Source, Nginx Plus and 1 more 2025-02-13 6.5 Medium
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.
CVE-2024-31079 2 F5, Fedoraproject 3 Nginx Open Source, Nginx Plus, Fedora 2025-02-13 4.8 Medium
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over.
CVE-2024-7347 2 F5, Redhat 4 Nginx Open Source, Nginx Plus, Enterprise Linux and 1 more 2025-01-22 4.7 Medium
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.