Openresty Openresty

Do you want an email whenever new security vulnerabilities are reported in Openresty?

By the Year

In 2024 there have been 0 vulnerabilities in Openresty . Last year Openresty had 1 security vulnerability published. Right now, Openresty is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 1 7.50
2022 0 0.00
2021 1 7.70
2020 1 7.50
2019 0 0.00
2018 1 9.80

It may take a day or so for new Openresty vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Openresty Security Vulnerabilities

The HTTP/2 protocol

CVE-2023-44487 7.5 - High - October 10, 2023

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Resource Exhaustion

A security issue in nginx resolver was identified, which might

CVE-2021-23017 7.7 - High - June 01, 2021

A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.

off-by-five

An issue was discovered in OpenResty before 1.15.8.4

CVE-2020-11724 7.5 - High - April 12, 2020

An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.

HTTP Request Smuggling

In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions

CVE-2018-9230 9.8 - Critical - April 02, 2018

In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access restrictions or interfere with certain Web Application Firewall (ngx_lua_waf or X-WAF) products. NOTE: the vendor has reported that 100 parameters is an intentional default setting, but is adjustable within the API. The vendor's position is that a security-relevant misuse of the API by a WAF product is a vulnerability in the WAF product, not a vulnerability in OpenResty

SQL Injection

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Openresty or by Openresty? Click the Watch button to subscribe.

Openresty
Vendor

Openresty
Product

subscribe