Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Nginx
(F5)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 40 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2013-07-20 | CVE-2013-2028 | The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow. | Nginx, Fedora | N/A | ||
| 2013-07-20 | CVE-2013-2070 | http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028. | Debian_linux, Nginx | N/A | ||
| 2013-10-27 | CVE-2013-0337 | The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files. | Nginx | N/A | ||
| 2013-11-23 | CVE-2013-4547 | nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI. | Nginx, Opensuse, Lifecycle_management_server, Studio_onsite, Webyast | N/A | ||
| 2014-03-28 | CVE-2014-0133 | Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request. | Nginx, Opensuse | N/A | ||
| 2014-04-29 | CVE-2014-0088 | The SPDY implementation in the ngx_http_spdy_module module in nginx 1.5.10 before 1.5.11, when running on a 32-bit platform, allows remote attackers to execute arbitrary code via a crafted request. | Nginx | N/A | ||
| 2014-12-08 | CVE-2014-3616 | nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks. | Debian_linux, Nginx | N/A | ||
| 2014-12-29 | CVE-2014-3556 | The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. | Nginx | N/A | ||
| 2016-06-07 | CVE-2016-4450 | os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file. | Ubuntu_linux, Debian_linux, Nginx | 7.5 | ||
| 2019-11-19 | CVE-2011-4968 | nginx http proxy module does not verify peer identity of https origin server which could facilitate man-in-the-middle attack (MITM) | Debian_linux, Nginx | 4.8 |