F5 NGINX Plus
cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*
- >= 37.0.0.1, <= 37.0.2.1
- ~R33
- ~R34
- ~R35
- ~R36
A vulnerability allowing for a heap buffer overflow has been identified in NGINX Plus (versions 37.0.0.1 to 37.0.2.1) and NGINX Open Source (versions 1.31.2, 1.30.0 to 1.30.3) when the map directive employs regex matching. The issue arises if a string expression references the map's regex capture variables before the map output variable, or by using a non-cacheable variable in a string expression under certain conditions. This vulnerability can be exploited by an unauthenticated attacker, under conditions beyond their control, by sending crafted HTTP requests. The buffer overflow occurs in the NGINX worker process, potentially leading to a restart. Furthermore, on systems with Address Space Layout Randomization (ASLR) disabled or where ASLR can be bypassed, this vulnerability may allow for code execution.
Exploitation of this vulnerability can cause a denial-of-service condition on the NGINX system, leading to a restart of the NGINX worker process. Additionally, it may allow for remote code execution on systems where ASLR is disabled or can be bypassed.
To mitigate this vulnerability, avoid using unnamed captures in regex map directives. Instead, use named captures and reference them within the same block as the regex match. Users can upgrade to NGINX Plus version 37.0.3.1 or NGINX Open Source versions 1.31.3 or 1.30.4, depending on their current version.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.