Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-41741

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.

Published

2022-10-19T22:15:12.647

Last Modified

2024-11-21T07:23:46.307

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.0 (HIGH)

Weaknesses

Type: Secondary
CWE-787
Type: Primary
CWE-787

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	f5	nginx	≤ 1.22.0	Yes
Application	f5	nginx	≤ r27	Yes
Application	f5	nginx	1.23.0	Yes
Application	f5	nginx	1.23.1	Yes
Application	f5	nginx	r1	Yes
Application	f5	nginx	r2	Yes
Application	f5	nginx_ingress_controller	≤ 1.12.4	Yes
Application	f5	nginx_ingress_controller	≤ 2.4.0	Yes
Operating System	fedoraproject	fedora	35	Yes
Operating System	fedoraproject	fedora	36	Yes
Operating System	fedoraproject	fedora	37	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes

References

https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPRVYA4FS34VWB4FEFYNAD7Z2LFCJVEI/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FD6M3PVVKO35WLAA7GLDBS6TEQ26SM64/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WBORRVG7VVXYOAIAD64ZHES2U2VIUKFQ/ ([email protected])
https://security.netapp.com/advisory/ntap-20230120-0005/ Third Party Advisory ([email protected])
https://support.f5.com/csp/article/K81926432 Mitigation, Vendor Advisory ([email protected])
https://www.debian.org/security/2022/dsa-5281 Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPRVYA4FS34VWB4FEFYNAD7Z2LFCJVEI/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FD6M3PVVKO35WLAA7GLDBS6TEQ26SM64/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WBORRVG7VVXYOAIAD64ZHES2U2VIUKFQ/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230120-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.f5.com/csp/article/K81926432 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2022/dsa-5281 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)