Assigner | f5 |
Reserved | 2024-05-14 |
Published | 2024-05-29 |
Updated | 2024-06-04 |
Description
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L |
Problem types
CWE-121 Stack-based Buffer Overflow
Product status
1.25.0 before 1.26.1
R30 before R32
Credits
F5 acknowledges Nils Bars of CISPA for bringing this issue to our attention and following the highest standards of coordinated disclosure.
References
https://my.f5.com/manage/s/article/K000139611