Vulnerabilities > CVE-2024-24989 - NULL Pointer Dereference vulnerability in F5 Nginx Open Source and Nginx Plus

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

CWE-476

NVD

Published: 2024-02-14

Updated: 2025-01-24

Summary

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Vulnerable Configurations

Part	Description	Count
Application	F5 F5 Nginx Plus R31 F5 Nginx Open Source 1.25.3	2

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

References

http://www.openwall.com/lists/oss-security/2024/05/30/4
http://www.openwall.com/lists/oss-security/2024/05/30/4
https://my.f5.com/manage/s/article/K000138444
https://my.f5.com/manage/s/article/K000138444