CVE-2024-34161

Name
CVE-2024-34161
Description
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
vendor-advisory https://my.f5.com/manage/s/article/K000139627
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/
http://www.openwall.com/lists/oss-security/2024/05/30/4
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/

Match rules

CPE URI Source package Min version Max version
nginx-open-source >= 1.25.0 < 1.26.1
nginx-plus >= R30 < R32
cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:* nginx_open_source >= 1.25.0 < 1.26.1
cpe:2.3:a:f5:nginx_plus:r30:-:*:*:*:*:*:* nginx_plus == None == r30
cpe:2.3:a:f5:nginx_plus:r31:-:*:*:*:*:*:* nginx_plus == None == r31

Vulnerable and fixed packages

Source package Branch Version Maintainer Status