CVE-2022-41742

HIGH

NGINX Open Source < 1.23.2 and 1.22.1 - Out-of-bounds Write in ngx_http_mp4_module

Title source: llm
STIX 2.1

Description

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.

References (7)

Core 7
Core References
Mitigation, Vendor Advisory
https://support.f5.com/csp/article/K28112382
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5281
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html

Scores

CVSS v3 7.1
EPSS 0.0009
EPSS Percentile 25.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-787
Status published
Products (12)
debian/debian_linux 10.0
debian/debian_linux 11.0
f5/nginx 1.23.0
f5/nginx 1.23.1
f5/nginx r1
f5/nginx r2
f5/nginx 1.1.3 - 1.22.0
f5/nginx r22 - r27
f5/nginx_ingress_controller 1.9.0 - 1.12.4
fedoraproject/fedora 35
... and 2 more
Published Oct 19, 2022
Tracked Since Feb 18, 2026