CVE-2024-7347

MEDIUM

NGINX Open Source 1.5.13-1.26.1 and NGINX Plus r27-r30 - Out-of-bounds Read in ngx_http_mp4_module

Title source: llm

Description

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

References (3)

Core 3

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/03/msg00017.html

Mailing List

http://www.openwall.com/lists/oss-security/2024/08/14/4

Vendor Advisory vendor-advisory

https://my.f5.com/manage/s/article/K000140529

Scores

CVSS v3 4.7

EPSS 0.0032

EPSS Percentile 23.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-125 CWE-126

Status published

Products (5)

f5/nginx_open_source 1.27.0

f5/nginx_open_source 1.5.13 - 1.26.2

f5/nginx_plus r31 (2 CPE variants)

f5/nginx_plus r32

f5/nginx_plus r27 - r31

Published Aug 14, 2024

Tracked Since Feb 18, 2026