CVE-2013-2070 : http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 thro

http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028.

Published 2013-07-20 03:37:25

Updated 2021-11-10 15:59:34

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2013-2070

Debian » Debian Linux » Version: 6.0
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
F5 » Nginx
Versions from including (>=) 1.1.4 and up to, including, (<=) 1.2.8
cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
Matching versions
F5 » Nginx
Versions from including (>=) 1.3.9 and up to, including, (<=) 1.4.0
cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-2070

EPSS FAQ

8.88%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 92 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-2070

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:P	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Partial

References for CVE-2013-2070

http://security.gentoo.org/glsa/glsa-201310-04.xml

nginx: Multiple vulnerabilities (GLSA 201310-04) — Gentoo security
Third Party Advisory

CVEs referencing this url
http://nginx.org/download/patch.2013.proxy.txt

Patch;Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=962525

962525 – (CVE-2013-2070) CVE-2013-2070 nginx: denial of service or memory disclosure when using proxy_pass
Issue Tracking;Patch;Third Party Advisory
http://www.debian.org/security/2013/dsa-2721

Debian -- Security Information -- DSA-2721-1 nginx
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105950.html

[SECURITY] Fedora 18 Update: nginx-1.2.9-1.fc18
Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/84172

nginx denial of service CVE-2013-2070 Vulnerability Report
Third Party Advisory;VDB Entry
http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html

[nginx-announce] nginx security advisory (CVE-2013-2070)
Patch;Vendor Advisory
http://seclists.org/oss-sec/2013/q2/291

oss-sec: Re: nginx security advisory (CVE-2013-2028)
Mailing List;Patch;Third Party Advisory
http://www.securityfocus.com/bid/59824

Nginx CVE-2013-2070 Remote Security Vulnerability
Third Party Advisory;VDB Entry
http://www.openwall.com/lists/oss-security/2013/05/13/3

oss-security - nginx security advisory (CVE-2013-2070)
Mailing List;Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2013-2070

Products affected by CVE-2013-2070

Exploit prediction scoring system (EPSS) score for CVE-2013-2070

CVSS scores for CVE-2013-2070

References for CVE-2013-2070