NGINX Makers of nginx server
stack.watch can notify you when security vulnerabilities are reported in any NGINX product. You can add multiple products that you use with NGINX to create your own personal software stack watcher.
Products by NGINX Sorted by Most Security Vulnerabilities since 2018
@nginx Tweets
DevOps環境全体でシームレスに機能するよう最適設計された最新のアプリケーションセキュリティ、NGINX App Protectをデモンストレーションを交えながらご紹介します。ぜひこの機会にご覧ください!(セミナー:7月9日(木… https://t.co/CIDNlWjXFe
Wed Jul 08 02:22:02 +0000 2020
Wed Jul 08 02:22:02 +0000 2020
See how to use the #NGINX Ingress Operator to easily install NGINX Plus Ingress Controller for #Kubernetes in your… https://t.co/Ndt9kImx0l
Tue Jul 07 15:48:03 +0000 2020
Tue Jul 07 15:48:03 +0000 2020
[Webinar] Join us tomorrow at 12:00 CEST to hear about challenges faced by organisations that wish to adapt to a tr… https://t.co/wtAFPw8lS5
Tue Jul 07 09:01:02 +0000 2020
Tue Jul 07 09:01:02 +0000 2020
In this third installment of #ControllerandCoffee, we'll focus on how #NGINXController provides full API lifecycle… https://t.co/6ULTMhdlWu
Mon Jul 06 17:58:22 +0000 2020
Mon Jul 06 17:58:22 +0000 2020
Rising #OpenSource Software Vulnerabilities Require a Modern #WAF https://t.co/W04WsYlRkU https://t.co/eCUTDOoLmf
Mon Jul 06 16:48:01 +0000 2020
Mon Jul 06 16:48:01 +0000 2020
By the Year
In 2020 there have been 1 vulnerability in NGINX with an average score of 5.3 out of ten. Last year NGINX had 9 security vulnerabilities published. Right now, NGINX is on track to have less security vulerabilities in 2020 than it did last year. Last year, the average CVE base score was greater by 3.88
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2020 | 1 | 5.30 |
| 2019 | 9 | 9.18 |
| 2018 | 3 | 7.03 |
It may take a day or so for new NGINX vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.
Latest NGINX Security Vulnerabilities
NGINX before 1.17.7, with certain error_page configurations
CVE-2019-20372
5.3 - Medium
- January 09, 2020
NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in nxt_vsprintf in nxt/nxt_sprintf.c during error handling, as demonstrated by an njs_regexp_literal call
CVE-2019-13617
6.5 - Medium
- July 16, 2019
njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in nxt_vsprintf in nxt/nxt_sprintf.c during error handling, as demonstrated by an njs_regexp_literal call that leads to an njs_parser_lexer_error call and then an njs_parser_scope_error call.
Memory Corruption
njs through 0.3.3, used in NGINX, has a buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c
CVE-2019-13067
9.8 - Critical
- June 30, 2019
njs through 0.3.3, used in NGINX, has a buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c. This issue occurs after the fix for CVE-2019-12207 is in place.
Out-of-bounds Read
njs through 0.3.1
CVE-2019-12206
9.8 - Critical
- May 20, 2019
njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in nxt_utf8_encode in nxt_utf8.c.
Memory Corruption
njs through 0.3.1
CVE-2019-12207
9.8 - Critical
- May 20, 2019
njs through 0.3.1, used in NGINX, has a heap-based buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c.
Memory Corruption
njs through 0.3.1
CVE-2019-12208
9.8 - Critical
- May 20, 2019
njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in njs_function_native_call in njs/njs_function.c.
Memory Corruption
njs through 0.3.1
CVE-2019-11837
7.5 - High
- May 09, 2019
njs through 0.3.1, used in NGINX, has a segmentation fault in String.prototype.toBytes for negative arguments, related to nxt_utf8_next in nxt/nxt_utf8.h and njs_string_offset in njs/njs_string.c.
Numeric Errors
njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.splice after a resize, related to njs_array_prototype_splice in njs/njs_array.c
CVE-2019-11838
9.8 - Critical
- May 09, 2019
njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.splice after a resize, related to njs_array_prototype_splice in njs/njs_array.c, because of njs_array_expand size mishandling.
Memory Corruption
njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.push after a resize, related to njs_array_prototype_push in njs/njs_array.c
CVE-2019-11839
9.8 - Critical
- May 09, 2019
njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.push after a resize, related to njs_array_prototype_push in njs/njs_array.c, because of njs_array_expand size mishandling.
Memory Corruption
NGINX Unit before 1.7.1 might
CVE-2019-7401
9.8 - Critical
- February 08, 2019
NGINX Unit before 1.7.1 might allow an attacker to cause a heap-based buffer overflow in the router process with a specially crafted request. This may result in a denial of service (router process crash) or possibly have unspecified other impact.
Memory Corruption
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption
CVE-2018-16843
7.5 - High
- November 07, 2018
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
Uncontrolled Resource Consumption ('Resource Exhaustion')
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage
CVE-2018-16844
7.5 - High
- November 07, 2018
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
Uncontrolled Resource Consumption ('Resource Exhaustion')
nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might
CVE-2018-16845
6.1 - Medium
- November 07, 2018
nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
Loop with Unreachable Exit Condition ('Infinite Loop')