Vulnerabilities > CVE-2024-24990 - Use After Free vulnerability in F5 Nginx Open Source and Nginx Plus

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

CWE-416

NVD

Published: 2024-02-14

Updated: 2025-01-24

Summary

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Vulnerable Configurations

Part	Description	Count
Application	F5 F5 Nginx Plus R30 F5 Nginx Plus R31 F5 Nginx Open Source 1.25.0 F5 Nginx Open Source 1.25.1 F5 Nginx Open Source 1.25.2 F5 Nginx Open Source 1.25.3	7

Common Weakness Enumeration (CWE)

CWE-416 - Use After Free

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References