Bitnami package
nginx-gateway
pkg:bitnami/nginx-gateway
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-24990 | — | >= 1.25.0, < 1.25.4 | 1.25.4 | Feb 14, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC | ||
| CVE-2024-24989 | — | >= 1.25.3, < 1.25.4 | 1.25.4 | Feb 14, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | >= 1.9.5, < 1.25.3 | 1.25.3 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2021-3618 | — | < 1.21.0 | 1.21.0 | Mar 23, 2022 | ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can re | ||
| CVE-2021-23017 | — | >= 0.6.18, < 1.20.1 | 1.20.1 | Jun 1, 2021 | A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact. |
- CVE-2024-24990Feb 14, 2024affected >= 1.25.0, < 1.25.4fixed 1.25.4
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC
- CVE-2024-24989Feb 14, 2024affected >= 1.25.3, < 1.25.4fixed 1.25.4
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC
- affected >= 1.9.5, < 1.25.3fixed 1.25.3
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2021-3618Mar 23, 2022affected < 1.21.0fixed 1.21.0
ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can re
- CVE-2021-23017Jun 1, 2021affected >= 0.6.18, < 1.20.1fixed 1.20.1
A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.
Page 2 of 2