Severity
Medium
Analysis Summary
CVE-2024-31079 CVSS:4.8
F5 NGINX Plus and NGINX Open Source is vulnerable to a denial of service, caused by a flaw when configured to use the HTTP/3 QUIC module. By sending specially crafted HTTP/3 requests, a remote attacker could exploit this vulnerability to cause NGINX worker processes to terminate or other potential impact.
CVE-2024-35200 CVSS:5.3
F5 NGINX Plus and NGINX Open Source is vulnerable to a denial of service, caused by a flaw when configured to use the HTTP/3 QUIC module. By sending specially crafted HTTP/3 requests, a remote attacker could exploit this vulnerability to cause NGINX worker processes to terminate.
CVE-2024-34161 CVSS:5.3
F5 NGINX Plus and NGINX Open Source could allow a remote attacker to obtain sensitive information, caused by a flaw when configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain previously freed memory information, and use this information to launch further attacks against the affected system.
CVE-2024-32760 CVSS:6.5
F5 NGINX Plus and NGINX Open Source are vulnerable to a denial of service, caused by a flaw when configured to use the HTTP/3 QUIC module. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause NGINX worker processes to terminate or cause other potential impact.
Impact
- Denial of Service
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-31079
- CVE-2024-35200
- CVE-2024-34161
- CVE-2024-32760
Affected Vendors
Affected Products
- F5 NGINX Plus R30
- F5 NGINX Open Source 1.25.0
Remediation
Refer to F5 Security Advisory for patch, upgrade or suggested workaround information.