F5 NGINX Plus
cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*
- >= 37.0.0.1, <= 37.0.2.1
- R33 - R36
A heap buffer over-read vulnerability has been identified in NGINX Plus versions 37.0.0.1 to 37.0.2.1 and in the NGINX Plus 5.x version range prior to 5.9.0, when the Message Queuing Telemetry Transport (MQTT) filter module is enabled. This vulnerability allows remote, unauthenticated attackers to send requests that cause a heap buffer over-read in the NGINX worker process, leading to a process restart. This issue affects the data plane only, with no exposure to the control plane.
Exploitation of this vulnerability causes the NGINX worker process to restart, disrupting any active connections or processes handled by that worker.
Users can upgrade to NGINX Plus version 37.0.3.1 or NGINX Plus 5.9.0 and above to address this vulnerability.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.