CVE-2024-7347

low-risk
Published 2024-08-14

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Do I need to act?

-
0.20% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.7/10 Medium
LOCAL / HIGH complexity

Affected Products (6)

Nginx Open Source
Nginx Open Source
Nginx Plus
Nginx Plus
Nginx Plus
Nginx Plus

Affected Vendors

F5

References (3)

Vendor Advisory https://my.f5.com/manage/s/article/K000140529
Mailing List http://www.openwall.com/lists/oss-security/2024/08/14/4
https://lists.debian.org/debian-lts-announce/2025/03/msg00017.html
26
/ 100
low-risk
Severity 12/34 · Low
Exploitability 1/34 · Minimal
Exposure 13/34 · Low