Vulnerability Details : CVE-2022-41742
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
Vulnerability category: Memory Corruption
Products affected by CVE-2022-41742
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- F5 » Nginx » Open Source EditionVersions from including (>=) 1.1.3 and up to, including, (<=) 1.22.0cpe:2.3:a:f5:nginx:*:*:*:*:open_source:*:*:*
- cpe:2.3:a:f5:nginx:*:*:*:*:plus:*:*:*
- cpe:2.3:a:f5:nginx:1.23.1:*:*:*:open_source:*:*:*
- cpe:2.3:a:f5:nginx:1.23.0:*:*:*:open_source:*:*:*
- cpe:2.3:a:f5:nginx:r2:*:*:*:open_source_subscription:*:*:*
- cpe:2.3:a:f5:nginx:r1:*:*:*:open_source_subscription:*:*:*
- cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-41742
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-41742
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.1
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
1.8
|
5.2
|
F5 Networks | |
7.1
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
1.8
|
5.2
|
NIST |
CWE ids for CVE-2022-41742
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by:
- f5sirt@f5.com (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2022-41742
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WBORRVG7VVXYOAIAD64ZHES2U2VIUKFQ/
[SECURITY] Fedora 37 Update: nginx-1.22.1-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://support.f5.com/csp/article/K28112382
NGINX ngx_http_mp4_module vulnerability CVE-2022-41742Mitigation;Vendor Advisory
-
https://www.debian.org/security/2022/dsa-5281
Debian -- Security Information -- DSA-5281-1 nginxThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPRVYA4FS34VWB4FEFYNAD7Z2LFCJVEI/
[SECURITY] Fedora 36 Update: nginx-1.22.1-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html
[SECURITY] [DLA 3203-1] nginx security updateMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20230120-0005/
October 2022 NGINX Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FD6M3PVVKO35WLAA7GLDBS6TEQ26SM64/
[SECURITY] Fedora 35 Update: nginx-1.22.1-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to