CVE-2009-2629 : Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6

Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests.

Published 2009-09-15 22:30:00

Updated 2025-04-09 00:30:58

Source CERT/CC

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2009-2629

Debian » Debian Linux » Version: 4.0
cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 6.0
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 5.0
cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
Matching versions
F5 » Nginx
Versions from including (>=) 0.7.0 and before (<) 0.7.62
cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
Matching versions
F5 » Nginx
Versions from including (>=) 0.6.0 and before (<) 0.6.39
cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
Matching versions
F5 » Nginx
Versions from including (>=) 0.8.0 and before (<) 0.8.15
cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
Matching versions
F5 » Nginx
Versions from including (>=) 0.1.0 and before (<) 0.5.38
cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 10
cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 11
cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 12
cpe:2.3:o:fedoraproject:fedora:12:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2009-2629

Top countries where our scanners detected CVE-2009-2629

Top open port discovered on systems with this issue 5555

IPs affected by CVE-2009-2629 121

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2009-2629!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2009-2629

EPSS FAQ

81.30%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2009-2629

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2009-2629

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2009-2629

http://www.kb.cert.org/vuls/id/180065

VU#180065 - Nginx ngx_http_parse_complex_uri() buffer underflow vulnerability
Third Party Advisory;US Government Resource
http://sysoev.ru/nginx/patch.180065.txt

404. Страница не найдена
Broken Link
http://www.debian.org/security/2009/dsa-1884

[SECURITY] [DSA 1884-1] New nginx packages fix arbitrary code execution
Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html

[SECURITY] Fedora 11 Update: nginx-0.7.64-1.fc11
Third Party Advisory

CVEs referencing this url
http://nginx.net/CHANGES-0.7

Release Notes;Vendor Advisory
http://nginx.net/CHANGES-0.5

Release Notes;Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html

[SECURITY] Fedora 12 Update: nginx-0.7.64-1.fc12
Third Party Advisory

CVEs referencing this url
http://nginx.net/CHANGES-0.6

Release Notes;Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html

[SECURITY] Fedora 10 Update: nginx-0.7.64-1.fc10
Third Party Advisory

CVEs referencing this url
http://nginx.net/CHANGES

Release Notes;Vendor Advisory