QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2018-16845

Back to search

CVE-2018-16845

Published: Nov 7, 2018

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.0

8.2

HIGH

Description

nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.

VendorProductVersions

[UNKNOWN]

nginx

affected
1.15.6
affected
1.14.1

Weaknesses (CWE)

CWE-400

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

References

DSA-4335
vendor-advisory
x_refsource_DEBIAN
RHSA-2018:3680
vendor-advisory
x_refsource_REDHAT
RHSA-2018:3681
vendor-advisory
x_refsource_REDHAT
105868
vdb-entry
x_refsource_BID
1042039
vdb-entry
x_refsource_SECTRACK
RHSA-2018:3653
vendor-advisory
x_refsource_REDHAT
RHSA-2018:3652
vendor-advisory
x_refsource_REDHAT
USN-3812-1
vendor-advisory
x_refsource_UBUNTU
openSUSE-SU-2019:2120
vendor-advisory
x_refsource_SUSE
20210921 APPLE-SA-2021-09-20-4 Xcode 13
mailing-list
x_refsource_FULLDISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now