From f9a91e744dfa2dafa260376837f71fb717d0507c Mon Sep 17 00:00:00 2001 From: ziad hany Date: Wed, 7 Jan 2026 01:15:31 +0200 Subject: [PATCH 1/3] Initial migration of nginx importer Signed-off-by: ziad hany --- vulnerabilities/importers/__init__.py | 2 + .../pipelines/v2_importers/nginx_importer.py | 229 ++ .../v2_importers/test_nginx_importer_v2.py | 151 ++ ...ity_advisories-advisory_data-expected.json | 1627 +++++++++++++ ...security_advisories-importer-expected.json | 2113 +++++++++++++++++ .../nginx_v2/security_advisories.html | 96 + .../nginx_v2/security_advisories.html.ABOUT | 2 + 7 files changed, 4220 insertions(+) create mode 100644 vulnerabilities/pipelines/v2_importers/nginx_importer.py create mode 100644 vulnerabilities/tests/pipelines/v2_importers/test_nginx_importer_v2.py create mode 100644 vulnerabilities/tests/test_data/nginx_v2/security_advisories-advisory_data-expected.json create mode 100644 vulnerabilities/tests/test_data/nginx_v2/security_advisories-importer-expected.json create mode 100644 vulnerabilities/tests/test_data/nginx_v2/security_advisories.html create mode 100644 vulnerabilities/tests/test_data/nginx_v2/security_advisories.html.ABOUT diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index 8aa9961d5..e609fbc79 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -55,6 +55,7 @@ from vulnerabilities.pipelines.v2_importers import istio_importer as istio_importer_v2 from vulnerabilities.pipelines.v2_importers import mattermost_importer as mattermost_importer_v2 from vulnerabilities.pipelines.v2_importers import mozilla_importer as mozilla_importer_v2 +from vulnerabilities.pipelines.v2_importers import nginx_importer as nginx_importer_v2 from vulnerabilities.pipelines.v2_importers import npm_importer as npm_importer_v2 from vulnerabilities.pipelines.v2_importers import nvd_importer as nvd_importer_v2 from vulnerabilities.pipelines.v2_importers import oss_fuzz as oss_fuzz_v2 @@ -89,6 +90,7 @@ aosp_importer_v2.AospImporterPipeline, ruby_importer_v2.RubyImporterPipeline, epss_importer_v2.EPSSImporterPipeline, + nginx_importer_v2.NginxImporterPipeline, mattermost_importer_v2.MattermostImporterPipeline, nvd_importer.NVDImporterPipeline, github_importer.GitHubAPIImporterPipeline, diff --git a/vulnerabilities/pipelines/v2_importers/nginx_importer.py b/vulnerabilities/pipelines/v2_importers/nginx_importer.py new file mode 100644 index 000000000..c017b5f75 --- /dev/null +++ b/vulnerabilities/pipelines/v2_importers/nginx_importer.py @@ -0,0 +1,229 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +from typing import Iterable +from typing import NamedTuple + +import requests +from bs4 import BeautifulSoup +from packageurl import PackageURL +from univers.version_range import NginxVersionRange +from univers.versions import InvalidVersion + +from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importer import AffectedPackageV2 +from vulnerabilities.importer import ReferenceV2 +from vulnerabilities.importer import VulnerabilitySeverity +from vulnerabilities.importer import logger +from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline +from vulnerabilities.severity_systems import GENERIC + + +class NginxImporterPipeline(VulnerableCodeBaseImporterPipeline): + """Collect Nginx security advisories.""" + + pipeline_id = "nginx_importer_v2" + + spdx_license_expression = "BSD-2-Clause" + license_url = "https://nginx.org/LICENSE" + url = "https://nginx.org/en/security_advisories.html" + importer_name = "Nginx Importer" + + @classmethod + def steps(cls): + return ( + cls.fetch, + cls.collect_and_store_advisories, + ) + + def fetch(self): + self.log(f"Fetch `{self.url}`") + self.advisory_data = requests.get(self.url).text + + def advisories_count(self): + return self.advisory_data.count("

  • ") + + def collect_advisories(self) -> Iterable[AdvisoryData]: + """ + Yield AdvisoryData from nginx security advisories HTML + web page. + """ + soup = BeautifulSoup(self.advisory_data, features="lxml") + vulnerability_list = soup.select("li p") + for vulnerability_info in vulnerability_list: + ngnix_advisory = parse_advisory_data_from_paragraph(vulnerability_info) + yield to_advisory_data(ngnix_advisory) + + +class NginxAdvisory(NamedTuple): + advisory_id: str + aliases: list + summary: str + severities: list + not_vulnerable: str + vulnerable: str + references: list + + def to_dict(self): + return self._asdict() + + +def to_advisory_data(nginx_adv: NginxAdvisory) -> AdvisoryData: + """ + Return AdvisoryData from an NginxAdvisory tuple. + """ + package_name = "nginx" + package_type = "nginx" + qualifiers = {} + + purl = PackageURL(type=package_type, name=package_name, qualifiers=qualifiers) + + _, _, affected_versions = nginx_adv.vulnerable.partition(":") + affected_versions = affected_versions.strip() + + if "nginx/Windows" in affected_versions: + qualifiers["os"] = "windows" + affected_versions = affected_versions.replace("nginx/Windows", "") + + _, _, fixed_versions = nginx_adv.not_vulnerable.partition(":") + fixed_versions = fixed_versions.strip() + + if "nginx/Windows" in fixed_versions: + qualifiers["os"] = "windows" + fixed_versions = fixed_versions.replace("nginx/Windows", "") + + fixed_version_range = None + try: + fixed_version_range = NginxVersionRange.from_native(fixed_versions) + except InvalidVersion: + logger.error(f"Invalid vulnerable range {fixed_versions}") + + affected_version_range = None + try: + affected_version_range = NginxVersionRange.from_native(affected_versions) + except InvalidVersion: + logger.error(f"Invalid non vulnerable range {affected_versions}") + + affected_packages = [] + if purl and affected_version_range or fixed_version_range: + affected_packages.append( + AffectedPackageV2( + package=purl, + affected_version_range=affected_version_range, + fixed_version_range=fixed_version_range, + ) + ) + + return AdvisoryData( + advisory_id=nginx_adv.advisory_id, + aliases=nginx_adv.aliases, + summary=nginx_adv.summary, + affected_packages=affected_packages, + references_v2=nginx_adv.references, + url="https://nginx.org/en/security_advisories.html", + ) + + +def parse_advisory_data_from_paragraph(vulnerability_info): + """ + Return an NginxAdvisory from a ``vulnerability_info`` bs4 paragraph. + + An advisory paragraph, without html markup, looks like this: + + 1-byte memory overwrite in resolver + Severity: medium + Advisory + CVE-2021-23017 + Not vulnerable: 1.21.0+, 1.20.1+ + Vulnerable: 0.6.18-1.20.0 + The patch pgp + + """ + aliases = [] + summary = None + severities = [] + not_vulnerable = None + vulnerable = None + references = [] + is_first = True + + # we iterate on the children to accumulate values in variables + # FIXME: using an explicit xpath-like query could be simpler + for child in vulnerability_info.children: + if is_first: + summary = child + is_first = False + continue + + text = child.text.strip() + text_low = text.lower() + + if text.startswith( + ( + "CVE-", + "CORE-", + "VU#", + ) + ): + aliases.append(text) + if text.startswith("CVE-"): + # always keep the CVE as a reference too + link = f"https://nvd.nist.gov/vuln/detail/{text}" + reference = ReferenceV2(reference_id=text, url=link) + references.append(reference) + + elif "severity" in text_low: + severity = build_severity(severity=text) + if severity: + severities.append(severity) + + elif "not vulnerable" in text_low: + not_vulnerable = text + + elif "vulnerable" in text_low: + vulnerable = text + + elif hasattr(child, "attrs"): + link = child.attrs.get("href") + if link: + if "cve.mitre.org" in link: + references.append(ReferenceV2(reference_id=text, url=link)) + elif "mailman.nginx.org" in link: + references.append(ReferenceV2(url=link)) + else: + link = requests.compat.urljoin("https://nginx.org", link) + references.append(ReferenceV2(url=link)) + + advisory_id = aliases.pop() + return NginxAdvisory( + advisory_id=advisory_id, + aliases=aliases, + summary=summary, + severities=severities, + not_vulnerable=not_vulnerable, + vulnerable=vulnerable, + references=references, + ) + + +def build_severity(severity): + """ + Return a VulnerabilitySeverity built from a ``severity`` string, or None. + + For example:: + >>> severity = "Severity: medium" + >>> expected = VulnerabilitySeverity(system=GENERIC, value="medium") + >>> assert build_severity(severity) == expected + """ + if severity.startswith("Severity:"): + _, _, severity = severity.partition("Severity:") + + severity = severity.strip() + if severity: + return VulnerabilitySeverity(system=GENERIC, value=severity) diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_nginx_importer_v2.py b/vulnerabilities/tests/pipelines/v2_importers/test_nginx_importer_v2.py new file mode 100644 index 000000000..7bf0e7977 --- /dev/null +++ b/vulnerabilities/tests/pipelines/v2_importers/test_nginx_importer_v2.py @@ -0,0 +1,151 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +from pathlib import Path + +from bs4 import BeautifulSoup +from commoncode import testcase +from univers.version_range import NginxVersionRange + +from vulnerabilities.importer import ReferenceV2 +from vulnerabilities.importer import VulnerabilitySeverity +from vulnerabilities.pipelines.v2_importers import nginx_importer +from vulnerabilities.severity_systems import GENERIC +from vulnerabilities.tests import util_tests +from vulnerabilities.utils import is_vulnerable_nginx_version + +ADVISORY_FIELDS_TO_TEST = ( + "unique_content_id", + "summary", + "affected_packages", + "references", + "date_published", + "weaknesses", +) + + +class NginxImporterPipeline(testcase.FileBasedTesting): + test_data_dir = Path(__file__).parent.parent.parent / "test_data" / "nginx_v2" + + def test_is_vulnerable(self): + # Not vulnerable: 1.17.3+, 1.16.1+ + # Vulnerable: 1.9.5-1.17.2 + + vcls = NginxVersionRange.version_class + affected_version_range = NginxVersionRange.from_native("1.9.5-1.17.2") + fixed_versions = [vcls("1.17.3"), vcls("1.16.1")] + + version = vcls("1.9.4") + assert not is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + version = vcls("1.9.5") + assert is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + version = vcls("1.9.6") + assert is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + version = vcls("1.16.0") + assert is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + version = vcls("1.16.1") + assert not is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + version = vcls("1.16.2") + assert not is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + version = vcls("1.16.99") + assert not is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + version = vcls("1.17.0") + assert is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + version = vcls("1.17.1") + assert is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + version = vcls("1.17.2") + assert is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + version = vcls("1.17.3") + assert not is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + version = vcls("1.17.4") + assert not is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + version = vcls("1.18.0") + assert not is_vulnerable_nginx_version(version, affected_version_range, fixed_versions) + + def test_parse_advisory_data_from_paragraph(self): + paragraph = ( + "

    1-byte memory overwrite in resolver" + "
    Severity: medium
    " + 'Advisory' + "
    " + 'CVE-2021-23017' + "
    Not vulnerable: 1.21.0+, 1.20.1+
    " + "Vulnerable: 0.6.18-1.20.0
    " + '' + 'The patch  pgp' + "

    " + ) + vuln_info = BeautifulSoup(paragraph, features="lxml").p + expected = { + "advisory_id": "CVE-2021-23017", + "aliases": [], + "summary": "1-byte memory overwrite in resolver", + "severities": [ + VulnerabilitySeverity( + system=GENERIC, + value="medium", + scoring_elements="", + published_at=None, + url=None, + ) + ], + "not_vulnerable": "Not vulnerable: 1.21.0+, 1.20.1+", + "vulnerable": "Vulnerable: 0.6.18-1.20.0", + "references": [ + ReferenceV2( + reference_id="", + reference_type="", + url="http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html", + ), + ReferenceV2( + reference_id="CVE-2021-23017", + reference_type="", + url="https://nvd.nist.gov/vuln/detail/CVE-2021-23017", + ), + ReferenceV2( + reference_id="", + reference_type="", + url="https://nginx.org/download/patch.2021.resolver.txt", + ), + ReferenceV2( + reference_id="", + reference_type="", + url="https://nginx.org/download/patch.2021.resolver.txt.asc", + ), + ], + } + + result = nginx_importer.parse_advisory_data_from_paragraph(vuln_info) + assert result.to_dict() == expected + + def test_collect_advisories(self): + test_file = self.get_test_loc("security_advisories.html") + with open(test_file) as tf: + test_text = tf.read() + + expected_file = self.get_test_loc( + "security_advisories-advisory_data-expected.json", must_exist=False + ) + + test_pipeline = nginx_importer.NginxImporterPipeline() + test_pipeline.advisory_data = test_text + results = [na.to_dict() for na in test_pipeline.collect_advisories()] + util_tests.check_results_against_json(results, expected_file) diff --git a/vulnerabilities/tests/test_data/nginx_v2/security_advisories-advisory_data-expected.json b/vulnerabilities/tests/test_data/nginx_v2/security_advisories-advisory_data-expected.json new file mode 100644 index 000000000..bba65d14b --- /dev/null +++ b/vulnerabilities/tests/test_data/nginx_v2/security_advisories-advisory_data-expected.json @@ -0,0 +1,1627 @@ +[ + { + "advisory_id": "CVE-2024-32760", + "aliases": [], + "summary": "Buffer overwrite in HTTP/3", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0", + "fixed_version_range": "vers:nginx/>=1.26.1|<1.27.0|>=1.27.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html" + }, + { + "reference_id": "CVE-2024-32760", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32760" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2024-31079", + "aliases": [], + "summary": "Stack overflow and use-after-free in HTTP/3", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0", + "fixed_version_range": "vers:nginx/>=1.26.1|<1.27.0|>=1.27.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html" + }, + { + "reference_id": "CVE-2024-31079", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31079" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2024-35200", + "aliases": [], + "summary": "NULL pointer dereference in HTTP/3", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0", + "fixed_version_range": "vers:nginx/>=1.26.1|<1.27.0|>=1.27.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html" + }, + { + "reference_id": "CVE-2024-35200", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35200" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2024-34161", + "aliases": [], + "summary": "Memory disclosure in HTTP/3", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0", + "fixed_version_range": "vers:nginx/>=1.26.1|<1.27.0|>=1.27.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html" + }, + { + "reference_id": "CVE-2024-34161", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34161" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2024-24989", + "aliases": [], + "summary": "NULL pointer dereference in HTTP/3", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/1.25.3", + "fixed_version_range": "vers:nginx/>=1.25.4", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/NW6MNW34VZ6HDIHH5YFBIJYZJN7FGNAV.html" + }, + { + "reference_id": "CVE-2024-24989", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24989" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2024-24990", + "aliases": [], + "summary": "Use-after-free in HTTP/3", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.3", + "fixed_version_range": "vers:nginx/>=1.25.4", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/NW6MNW34VZ6HDIHH5YFBIJYZJN7FGNAV.html" + }, + { + "reference_id": "CVE-2024-24990", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24990" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2022-41741", + "aliases": [], + "summary": "Memory corruption in the ngx_http_mp4_module", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.23.1", + "fixed_version_range": "vers:nginx/>=1.22.1|<1.23.0|>=1.23.2", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2022/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA.html" + }, + { + "reference_id": "CVE-2022-41741", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41741" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2022.mp4.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2022.mp4.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2022-41742", + "aliases": [], + "summary": "Memory disclosure in the ngx_http_mp4_module", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.23.1", + "fixed_version_range": "vers:nginx/>=1.22.1|<1.23.0|>=1.23.2", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2022/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA.html" + }, + { + "reference_id": "CVE-2022-41742", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41742" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2022.mp4.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2022.mp4.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2021-23017", + "aliases": [], + "summary": "1-byte memory overwrite in resolver", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.6.18|<=1.20.0", + "fixed_version_range": "vers:nginx/>=1.20.1|<1.21.0|>=1.21.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html" + }, + { + "reference_id": "CVE-2021-23017", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23017" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2021.resolver.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2021.resolver.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2019-9511", + "aliases": [], + "summary": "Excessive CPU usage in HTTP/2 with small window updates", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2", + "fixed_version_range": "vers:nginx/>=1.16.1|<1.17.0|>=1.17.3", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html" + }, + { + "reference_id": "CVE-2019-9511", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2019-9513", + "aliases": [], + "summary": "Excessive CPU usage in HTTP/2 with priority changes", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2", + "fixed_version_range": "vers:nginx/>=1.16.1|<1.17.0|>=1.17.3", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html" + }, + { + "reference_id": "CVE-2019-9513", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9513" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2019-9516", + "aliases": [], + "summary": "Excessive memory usage in HTTP/2 with zero length headers", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2", + "fixed_version_range": "vers:nginx/>=1.16.1|<1.17.0|>=1.17.3", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html" + }, + { + "reference_id": "CVE-2019-9516", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9516" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2018-16843", + "aliases": [], + "summary": "Excessive memory usage in HTTP/2", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.9.5|<=1.15.5", + "fixed_version_range": "vers:nginx/>=1.14.1|<1.15.0|>=1.15.6", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html" + }, + { + "reference_id": "CVE-2018-16843", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16843" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2018-16844", + "aliases": [], + "summary": "Excessive CPU usage in HTTP/2", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.9.5|<=1.15.5", + "fixed_version_range": "vers:nginx/>=1.14.1|<1.15.0|>=1.15.6", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html" + }, + { + "reference_id": "CVE-2018-16844", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16844" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2018-16845", + "aliases": [], + "summary": "Memory disclosure in the ngx_http_mp4_module", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.15.5", + "fixed_version_range": "vers:nginx/>=1.14.1|<1.15.0|>=1.15.6", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html" + }, + { + "reference_id": "CVE-2018-16845", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16845" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2018.mp4.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2018.mp4.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2017-7529", + "aliases": [], + "summary": "Integer overflow in the range filter", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.5.6|<=1.13.2", + "fixed_version_range": "vers:nginx/>=1.12.1|<1.13.0|>=1.13.3", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html" + }, + { + "reference_id": "CVE-2017-7529", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7529" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2017.ranges.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2017.ranges.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2016-4450", + "aliases": [], + "summary": "NULL pointer dereference while writing client request body", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.3.9|<=1.11.0", + "fixed_version_range": "vers:nginx/>=1.10.1|<1.11.0|>=1.11.1", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html" + }, + { + "reference_id": "CVE-2016-4450", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4450" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2016.write.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2016.write.txt.asc" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2016.write2.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2016.write2.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2016-0742", + "aliases": [], + "summary": "Invalid pointer dereference in resolver", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9", + "fixed_version_range": "vers:nginx/>=1.8.1|<1.9.0|>=1.9.10", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2016/000169.html" + }, + { + "reference_id": "CVE-2016-0742", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0742" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2016-0746", + "aliases": [], + "summary": "Use-after-free during CNAME response processing in resolver", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9", + "fixed_version_range": "vers:nginx/>=1.8.1|<1.9.0|>=1.9.10", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2016/000169.html" + }, + { + "reference_id": "CVE-2016-0746", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0746" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2016-0747", + "aliases": [], + "summary": "Insufficient limits of CNAME resolution in resolver", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9", + "fixed_version_range": "vers:nginx/>=1.8.1|<1.9.0|>=1.9.10", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2016/000169.html" + }, + { + "reference_id": "CVE-2016-0747", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0747" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2014-3616", + "aliases": [], + "summary": "SSL session reuse vulnerability", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.5.6|<=1.7.4", + "fixed_version_range": "vers:nginx/>=1.6.2|<1.7.0|>=1.7.5", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html" + }, + { + "reference_id": "CVE-2014-3616", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3616" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2014-3556", + "aliases": [], + "summary": "STARTTLS command injection", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.5.6|<=1.7.3", + "fixed_version_range": "vers:nginx/>=1.6.1|<1.7.0|>=1.7.4", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html" + }, + { + "reference_id": "CVE-2014-3556", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3556" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2014.starttls.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2014.starttls.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2014-0133", + "aliases": [], + "summary": "SPDY heap buffer overflow", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.3.15|<=1.5.11", + "fixed_version_range": "vers:nginx/>=1.4.7|<1.5.0|>=1.5.12", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html" + }, + { + "reference_id": "CVE-2014-0133", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0133" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2014.spdy2.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2014.spdy2.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2014-0088", + "aliases": [], + "summary": "SPDY memory corruption", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/1.5.10", + "fixed_version_range": "vers:nginx/>=1.5.11", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2014/000132.html" + }, + { + "reference_id": "CVE-2014-0088", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0088" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2014.spdy.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2014.spdy.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2013-4547", + "aliases": [], + "summary": "Request line parsing vulnerability", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.8.41|<=1.5.6", + "fixed_version_range": "vers:nginx/>=1.4.4|<1.5.0|>=1.5.7", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html" + }, + { + "reference_id": "CVE-2013-4547", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4547" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2013.space.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2013.space.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2013-2070", + "aliases": [], + "summary": "Memory disclosure with specially crafted HTTP backend responses", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.1.4|<=1.2.8|>=1.3.9|<=1.4.0", + "fixed_version_range": "vers:nginx/>=1.2.9|<1.3.0|>=1.4.1|<1.5.0|>=1.5.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html" + }, + { + "reference_id": "CVE-2013-2070", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2070" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2013.chunked.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2013.chunked.txt.asc" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2013.proxy.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2013.proxy.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2013-2028", + "aliases": [], + "summary": "Stack-based buffer overflow with specially crafted request", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.3.9|<=1.4.0", + "fixed_version_range": "vers:nginx/>=1.4.1|<1.5.0|>=1.5.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html" + }, + { + "reference_id": "CVE-2013-2028", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2028" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2013.chunked.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2013.chunked.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2011-4963", + "aliases": [], + "summary": "Vulnerabilities with Windows directory aliases", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.7.52|<=1.3.0", + "fixed_version_range": "vers:nginx/>=1.2.1|<1.3.0|>=1.3.1", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2012/000086.html" + }, + { + "reference_id": "CVE-2011-4963", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4963" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2012-2089", + "aliases": [], + "summary": "Buffer overflow in the ngx_http_mp4_module", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.14|>=1.1.3|<=1.1.18", + "fixed_version_range": "vers:nginx/>=1.0.15|<1.1.0|>=1.1.19", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2012/000080.html" + }, + { + "reference_id": "CVE-2012-2089", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2089" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2012.mp4.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2012.mp4.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2012-1180", + "aliases": [], + "summary": "Memory disclosure with specially crafted backend responses", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.1.0|<=1.1.16", + "fixed_version_range": "vers:nginx/>=1.0.14|<1.1.0|>=1.1.17", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2012/000076.html" + }, + { + "reference_id": "CVE-2012-1180", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1180" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2012.memory.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.2012.memory.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2011-4315", + "aliases": [], + "summary": "Buffer overflow in resolver", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.6.18|<=1.1.7", + "fixed_version_range": "vers:nginx/>=1.0.10|<1.1.0|>=1.1.8", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "CVE-2011-4315", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4315" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2010-2266", + "aliases": [], + "summary": "Vulnerabilities with invalid UTF-8 sequence on Windows", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.40", + "fixed_version_range": "vers:nginx/>=0.7.67|>=0.8.41|<0.9.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "CVE-2010-2266", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2266" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2010-2263", + "aliases": [], + "summary": "Vulnerabilities with Windows file default stream", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.39", + "fixed_version_range": "vers:nginx/>=0.7.66|>=0.8.40|<0.9.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "CVE-2010-2263", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2263" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CORE-2010-0121", + "aliases": [], + "summary": "Vulnerabilities with Windows 8.3 filename pseudonyms", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.32", + "fixed_version_range": "vers:nginx/>=0.7.65|>=0.8.33|<0.9.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2009-4487", + "aliases": [], + "summary": "An error log data are not sanitized", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/*", + "fixed_version_range": null, + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "CVE-2009-4487", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-4487" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2009-3555", + "aliases": [ + "VU#120541" + ], + "summary": "The renegotiation vulnerability in SSL protocol", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.22", + "fixed_version_range": "vers:nginx/>=0.7.64|>=0.8.23|<0.9.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "CVE-2009-3555", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.cve-2009-3555.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.cve-2009-3555.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2009-3898", + "aliases": [], + "summary": "Directory traversal vulnerability", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.16", + "fixed_version_range": "vers:nginx/>=0.7.63|>=0.8.17|<0.9.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "CVE-2009-3898", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3898" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2009-2629", + "aliases": [ + "VU#180065" + ], + "summary": "Buffer underflow vulnerability", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.14", + "fixed_version_range": "vers:nginx/>=0.5.38|>=0.6.39|<0.7.0|>=0.7.62|>=0.8.15|<0.9.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "CVE-2009-2629", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2629" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.180065.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.180065.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + }, + { + "advisory_id": "CVE-2009-3896", + "aliases": [], + "summary": "Null pointer dereference vulnerability", + "affected_packages": [ + { + "package": { + "type": "nginx", + "namespace": "", + "name": "nginx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.13", + "fixed_version_range": "vers:nginx/>=0.5.38|>=0.6.39|<0.7.0|>=0.7.62|>=0.8.14|<0.9.0", + "introduced_by_commit_patches": [], + "fixed_by_commit_patches": [] + } + ], + "references_v2": [ + { + "reference_id": "CVE-2009-3896", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3896" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.null.pointer.txt" + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://nginx.org/download/patch.null.pointer.txt.asc" + } + ], + "patches": [], + "severities": [], + "date_published": null, + "weaknesses": [], + "url": "https://nginx.org/en/security_advisories.html" + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/nginx_v2/security_advisories-importer-expected.json b/vulnerabilities/tests/test_data/nginx_v2/security_advisories-importer-expected.json new file mode 100644 index 000000000..9e760590f --- /dev/null +++ b/vulnerabilities/tests/test_data/nginx_v2/security_advisories-importer-expected.json @@ -0,0 +1,2113 @@ +[ + { + "unique_content_id": "041e081a630681e36df17fc2471cd58a789dce20b54dce62c66900baceb7d771", + "summary": "Stack overflow and use-after-free in HTTP/3", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.27.0", + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.26.1", + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31079", + "severities": [], + "reference_id": "CVE-2024-31079", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "044f1ec3ed59bdbafada7e40b37f7a3cbd0afc31c67aac002251f7ed56e756db", + "summary": "Vulnerabilities with Windows directory aliases", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "os=windows" + }, + "fixed_version": "1.3.1", + "affected_version_range": "vers:nginx/>=0.7.52|<=1.3.0" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "os=windows" + }, + "fixed_version": "1.2.1", + "affected_version_range": "vers:nginx/>=0.7.52|<=1.3.0" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2012/000086.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4963", + "severities": [], + "reference_id": "CVE-2011-4963", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "04ec1beb69b3712ef90b5975ff13d5d9ece8dc4c31e2fbd033e1e7be98f889ed", + "summary": "SPDY heap buffer overflow", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.5.12", + "affected_version_range": "vers:nginx/>=1.3.15|<=1.5.11" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.4.7", + "affected_version_range": "vers:nginx/>=1.3.15|<=1.5.11" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0133", + "severities": [], + "reference_id": "CVE-2014-0133", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2014.spdy2.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2014.spdy2.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "1000911200f3a7046464251c86a45451e6d049b88cb3e5edc6d009a1867418f7", + "summary": "An error log data are not sanitized", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": null, + "affected_version_range": "vers:nginx/*" + } + ], + "references": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-4487", + "severities": [], + "reference_id": "CVE-2009-4487", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "37a3e3a4d916420d151462c0e761db15f3dfb81ead3e3fa18e84ef4a93151d4c", + "summary": "Excessive CPU usage in HTTP/2", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.15.6", + "affected_version_range": "vers:nginx/>=1.9.5|<=1.15.5" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.14.1", + "affected_version_range": "vers:nginx/>=1.9.5|<=1.15.5" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html", + "severities": [ + { + "value": "low", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16844", + "severities": [], + "reference_id": "CVE-2018-16844", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "3db919e67e7061f392f575e7ac88884850c686c133ebdd4f58dfddb6196e15bf", + "summary": "NULL pointer dereference while writing client request body", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.11.1", + "affected_version_range": "vers:nginx/>=1.3.9|<=1.11.0" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.10.1", + "affected_version_range": "vers:nginx/>=1.3.9|<=1.11.0" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4450", + "severities": [], + "reference_id": "CVE-2016-4450", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2016.write.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2016.write.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2016.write2.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2016.write2.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "3f9a96e88c2c8cb3ad5852621091d686b420e0fa25921a9f10f330e02e7f47d6", + "summary": "Insufficient limits of CNAME resolution in resolver", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.9.10", + "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.8.1", + "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2016/000169.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0747", + "severities": [], + "reference_id": "CVE-2016-0747", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "4590b8b17cfdf0314dffd75372ba416fd8ced35cdeb673aabe9d2ed5b19dab3d", + "summary": "Memory disclosure with specially crafted HTTP backend responses", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.5.0", + "affected_version_range": "vers:nginx/>=1.1.4|<=1.2.8|>=1.3.9|<=1.4.0" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.4.1", + "affected_version_range": "vers:nginx/>=1.1.4|<=1.2.8|>=1.3.9|<=1.4.0" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.2.9", + "affected_version_range": "vers:nginx/>=1.1.4|<=1.2.8|>=1.3.9|<=1.4.0" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2070", + "severities": [], + "reference_id": "CVE-2013-2070", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2013.chunked.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2013.chunked.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2013.proxy.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2013.proxy.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "516f2188bdac91f9372ec3e200c4e754179f61fb8bf3a4613d97ebb569e46831", + "summary": "Memory corruption in the ngx_http_mp4_module", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.23.2", + "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.23.1" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.22.1", + "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.23.1" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2022/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41741", + "severities": [], + "reference_id": "CVE-2022-41741", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2022.mp4.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2022.mp4.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "60c648561ee11d1ece306182ff608e5d66aeb748c91c4c91d79aa4f7967f2149", + "summary": "Integer overflow in the range filter", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.13.3", + "affected_version_range": "vers:nginx/>=0.5.6|<=1.13.2" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.12.1", + "affected_version_range": "vers:nginx/>=0.5.6|<=1.13.2" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7529", + "severities": [], + "reference_id": "CVE-2017-7529", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2017.ranges.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2017.ranges.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "68957cdbe4f38386944b07c2f3138ad59f02df490dab487d8709f8642a395496", + "summary": "SSL session reuse vulnerability", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.7.5", + "affected_version_range": "vers:nginx/>=0.5.6|<=1.7.4" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.6.2", + "affected_version_range": "vers:nginx/>=0.5.6|<=1.7.4" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3616", + "severities": [], + "reference_id": "CVE-2014-3616", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "6dfd4b51bcdf1ee31bfdd97ee6370422b70533c1db972de69cdc2e281a4bb90a", + "summary": "Stack-based buffer overflow with specially crafted request", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.5.0", + "affected_version_range": "vers:nginx/>=1.3.9|<=1.4.0" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.4.1", + "affected_version_range": "vers:nginx/>=1.3.9|<=1.4.0" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2028", + "severities": [], + "reference_id": "CVE-2013-2028", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2013.chunked.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2013.chunked.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "702a79bf8a92e5ce967d5d540f03d225e05906df0cb641c5538e0e8b8045aa89", + "summary": "NULL pointer dereference in HTTP/3", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.25.4", + "affected_version_range": "vers:nginx/1.25.3" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/NW6MNW34VZ6HDIHH5YFBIJYZJN7FGNAV.html", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24989", + "severities": [], + "reference_id": "CVE-2024-24989", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "71ee7b435e15272f8531b568d58f82e33cfb3881f3ee80b5cae1788183f91827", + "summary": "Use-after-free in HTTP/3", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.25.4", + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.3" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/NW6MNW34VZ6HDIHH5YFBIJYZJN7FGNAV.html", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24990", + "severities": [], + "reference_id": "CVE-2024-24990", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "743193c823a19a8eea1eeb8bb5ea6c3314ca6350b8d6ba0bcf2ac29d2e99ab11", + "summary": "Memory disclosure in the ngx_http_mp4_module", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.23.2", + "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.23.1" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.22.1", + "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.23.1" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2022/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41742", + "severities": [], + "reference_id": "CVE-2022-41742", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2022.mp4.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2022.mp4.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "74d2403b1a2d875ba8411a315d217fd704642a39c3e9392bd2b81cd4e4cca8a8", + "summary": "Use-after-free during CNAME response processing in resolver", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.9.10", + "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.8.1", + "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2016/000169.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0746", + "severities": [], + "reference_id": "CVE-2016-0746", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "79d90dc8b83d6267a92f31d11be14dc27e619f6edaa996935bf4d0d33b70e575", + "summary": "Buffer overflow in resolver", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.1.8", + "affected_version_range": "vers:nginx/>=0.6.18|<=1.1.7" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.0.10", + "affected_version_range": "vers:nginx/>=0.6.18|<=1.1.7" + } + ], + "references": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4315", + "severities": [], + "reference_id": "CVE-2011-4315", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "7dd1dec4f019ce4e044852324feb9444dbc965f26c98025bc28f50294251c5c0", + "summary": "Excessive CPU usage in HTTP/2 with small window updates", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.17.3", + "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.16.1", + "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511", + "severities": [], + "reference_id": "CVE-2019-9511", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "8f54462a45ac49635f660b6fb755d5e05cdbc34ebaa565e38ca20c522579ce7f", + "summary": "Vulnerabilities with Windows 8.3 filename pseudonyms", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "os=windows" + }, + "fixed_version": "0.8.33", + "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.32" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "os=windows" + }, + "fixed_version": "0.7.65", + "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.32" + } + ], + "references": [], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "92ce767b8cea36271d33c119cb6f706f64f5aba7335cca6791eca90a87f48de1", + "summary": "Vulnerabilities with Windows file default stream", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "os=windows" + }, + "fixed_version": "0.8.40", + "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.39" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "os=windows" + }, + "fixed_version": "0.7.66", + "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.39" + } + ], + "references": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2263", + "severities": [], + "reference_id": "CVE-2010-2263", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "93ffd507f57f7b01de0bc7cff479daba1c120e28d45b60a14f8fa98bdf597f4a", + "summary": "NULL pointer dereference in HTTP/3", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.27.0", + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.26.1", + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35200", + "severities": [], + "reference_id": "CVE-2024-35200", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "95dab77a3ea69d6d0bac6b48719f4e1d5435af7f1f1a0c1d62aa343bed5e3f32", + "summary": "Buffer overwrite in HTTP/3", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.27.0", + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.26.1", + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32760", + "severities": [], + "reference_id": "CVE-2024-32760", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "9a3699853c72ab1e08f226c4f09f669b6e8b6f0431fa4e78549cd87d8466e0f7", + "summary": "Vulnerabilities with invalid UTF-8 sequence on Windows", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "os=windows" + }, + "fixed_version": "0.8.41", + "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.40" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "os=windows" + }, + "fixed_version": "0.7.67", + "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.40" + } + ], + "references": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2266", + "severities": [], + "reference_id": "CVE-2010-2266", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "9bb829ca8d94430d97ea8bb4d67cddb9f41140a7550e5dced08918f35f1dc5f1", + "summary": "Memory disclosure with specially crafted backend responses", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.1.17", + "affected_version_range": "vers:nginx/>=0.1.0|<=1.1.16" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.0.14", + "affected_version_range": "vers:nginx/>=0.1.0|<=1.1.16" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2012/000076.html", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1180", + "severities": [], + "reference_id": "CVE-2012-1180", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2012.memory.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2012.memory.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "9d373a60d30d98c6a84d134e0f1c1880b4e82b795a9175c51b172c9d988633c4", + "summary": "Buffer overflow in the ngx_http_mp4_module", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.1.19", + "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.14|>=1.1.3|<=1.1.18" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.0.15", + "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.14|>=1.1.3|<=1.1.18" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2012/000080.html", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2089", + "severities": [], + "reference_id": "CVE-2012-2089", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2012.mp4.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2012.mp4.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "b011769b7166e6e3a5b0dabd560be9fec2b4963a0c14c8934b394504041dd801", + "summary": "Request line parsing vulnerability", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.5.7", + "affected_version_range": "vers:nginx/>=0.8.41|<=1.5.6" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.4.4", + "affected_version_range": "vers:nginx/>=0.8.41|<=1.5.6" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4547", + "severities": [], + "reference_id": "CVE-2013-4547", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2013.space.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2013.space.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "b141e948fdfecc52a52fd4111fff37b57216a7f8fd1421df478db15e620a4571", + "summary": "1-byte memory overwrite in resolver", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.21.0", + "affected_version_range": "vers:nginx/>=0.6.18|<=1.20.0" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.20.1", + "affected_version_range": "vers:nginx/>=0.6.18|<=1.20.0" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23017", + "severities": [], + "reference_id": "CVE-2021-23017", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2021.resolver.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2021.resolver.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "b97accb1929bfc3181c61e41c2163f051cac435ea3671b05ebf708ac24c53f15", + "summary": "Memory disclosure in HTTP/3", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.27.0", + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.26.1", + "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34161", + "severities": [], + "reference_id": "CVE-2024-34161", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "cc6ff6eaba227bf65c93964fdf2731b75ff1597638283ae950e3941cd4932632", + "summary": "Invalid pointer dereference in resolver", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.9.10", + "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.8.1", + "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2016/000169.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0742", + "severities": [], + "reference_id": "CVE-2016-0742", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "de7a819f87c93c708251b734406d2b9916fce494ab3987be40ca37426b0c2044", + "summary": "Buffer underflow vulnerability", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "0.8.15", + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.14" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "0.7.62", + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.14" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "0.6.39", + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.14" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "0.5.38", + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.14" + } + ], + "references": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2629", + "severities": [], + "reference_id": "CVE-2009-2629", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.180065.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.180065.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "e3af8c6275036d10bb0d3b20807288808bcb24ff1fad37f09757d381f90fc862", + "summary": "STARTTLS command injection", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.7.4", + "affected_version_range": "vers:nginx/>=1.5.6|<=1.7.3" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.6.1", + "affected_version_range": "vers:nginx/>=1.5.6|<=1.7.3" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3556", + "severities": [], + "reference_id": "CVE-2014-3556", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2014.starttls.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2014.starttls.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "e4731a12d4f385fc4d0774714c3e79dc98b8ec9c1c648120e0aa196a0d165066", + "summary": "Excessive memory usage in HTTP/2", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.15.6", + "affected_version_range": "vers:nginx/>=1.9.5|<=1.15.5" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.14.1", + "affected_version_range": "vers:nginx/>=1.9.5|<=1.15.5" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html", + "severities": [ + { + "value": "low", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16843", + "severities": [], + "reference_id": "CVE-2018-16843", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "e9adfcf58bd2f302fd81436744937e8ea8bae7e1d7133d54cc4097bb94e68656", + "summary": "Directory traversal vulnerability", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "0.8.17", + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.16" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "0.7.63", + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.16" + } + ], + "references": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3898", + "severities": [], + "reference_id": "CVE-2009-3898", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "ef80f06b34224fbde70a6a359ccf297c0ec2bfae9148973d3689a1c2acb888ad", + "summary": "Memory disclosure in the ngx_http_mp4_module", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.15.6", + "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.15.5" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.14.1", + "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.15.5" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html", + "severities": [ + { + "value": "medium", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16845", + "severities": [], + "reference_id": "CVE-2018-16845", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2018.mp4.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2018.mp4.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "f52c1d6763864aa721f3c5d6fa201712a04cea0851085e8129014e56ba7b4bbe", + "summary": "Excessive CPU usage in HTTP/2 with priority changes", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.17.3", + "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.16.1", + "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html", + "severities": [ + { + "value": "low", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9513", + "severities": [], + "reference_id": "CVE-2019-9513", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "f9a0149f8d0c6afe588cc7c0a170e45c828219c342b9d7ca12d0e830c68b752a", + "summary": "SPDY memory corruption", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.5.11", + "affected_version_range": "vers:nginx/1.5.10" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2014/000132.html", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0088", + "severities": [], + "reference_id": "CVE-2014-0088", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2014.spdy.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.2014.spdy.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "fc72f81267258996f729b98893890074ad6155adcc3352d30a04765977836995", + "summary": "The renegotiation vulnerability in SSL protocol", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "0.8.23", + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.22" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "0.7.64", + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.22" + } + ], + "references": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555", + "severities": [], + "reference_id": "CVE-2009-3555", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.cve-2009-3555.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.cve-2009-3555.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "fcb04608ea5442dbf70575273074915efc16a95be9d8c84d5f3146f6917b3fb1", + "summary": "Excessive memory usage in HTTP/2 with zero length headers", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.17.3", + "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "1.16.1", + "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2" + } + ], + "references": [ + { + "url": "https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html", + "severities": [ + { + "value": "low", + "system": "generic_textual", + "scoring_elements": "" + } + ], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9516", + "severities": [], + "reference_id": "CVE-2019-9516", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + }, + { + "unique_content_id": "fcb0ba0ce66c1f1cf3b4213fd6e9108ab9965d633582d3e9c070a792e02d9876", + "summary": "Null pointer dereference vulnerability", + "affected_packages": [ + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "0.8.14", + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.13" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "0.7.62", + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.13" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "0.6.39", + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.13" + }, + { + "package": { + "name": "nginx", + "type": "nginx", + "subpath": "", + "version": "", + "namespace": "", + "qualifiers": "" + }, + "fixed_version": "0.5.38", + "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.13" + } + ], + "references": [ + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3896", + "severities": [], + "reference_id": "CVE-2009-3896", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.null.pointer.txt", + "severities": [], + "reference_id": "", + "reference_type": "" + }, + { + "url": "https://nginx.org/download/patch.null.pointer.txt.asc", + "severities": [], + "reference_id": "", + "reference_type": "" + } + ], + "date_published": null, + "weaknesses": [] + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/nginx_v2/security_advisories.html b/vulnerabilities/tests/test_data/nginx_v2/security_advisories.html new file mode 100644 index 000000000..6c4585438 --- /dev/null +++ b/vulnerabilities/tests/test_data/nginx_v2/security_advisories.html @@ -0,0 +1,96 @@ + +nginx security advisories

    nginx security advisories

    +All nginx security issues should be reported to +security-alert@nginx.org. +

    +Patches are signed using one of the +PGP public keys. +

      + +

    • Buffer overwrite in HTTP/3
      Severity: medium
      Advisory
      CVE-2024-32760
      Not vulnerable: 1.27.0+, 1.26.1+
      Vulnerable: 1.25.0-1.25.5, 1.26.0

      • + +

    • Stack overflow and use-after-free in HTTP/3
      Severity: medium
      Advisory
      CVE-2024-31079
      Not vulnerable: 1.27.0+, 1.26.1+
      Vulnerable: 1.25.0-1.25.5, 1.26.0

      • + +

    • NULL pointer dereference in HTTP/3
      Severity: medium
      Advisory
      CVE-2024-35200
      Not vulnerable: 1.27.0+, 1.26.1+
      Vulnerable: 1.25.0-1.25.5, 1.26.0

      • + +

    • Memory disclosure in HTTP/3
      Severity: medium
      Advisory
      CVE-2024-34161
      Not vulnerable: 1.27.0+, 1.26.1+
      Vulnerable: 1.25.0-1.25.5, 1.26.0

      • + +

    • NULL pointer dereference in HTTP/3
      Severity: major
      Advisory
      CVE-2024-24989
      Not vulnerable: 1.25.4+
      Vulnerable: 1.25.3

      • + +

    • Use-after-free in HTTP/3
      Severity: major
      Advisory
      CVE-2024-24990
      Not vulnerable: 1.25.4+
      Vulnerable: 1.25.0-1.25.3

      • + +

    • Memory corruption in the ngx_http_mp4_module
      Severity: medium
      Advisory
      CVE-2022-41741
      Not vulnerable: 1.23.2+, 1.22.1+
      Vulnerable: 1.1.3-1.23.1, 1.0.7-1.0.15
      The patch  pgp

      • + +

    • Memory disclosure in the ngx_http_mp4_module
      Severity: medium
      Advisory
      CVE-2022-41742
      Not vulnerable: 1.23.2+, 1.22.1+
      Vulnerable: 1.1.3-1.23.1, 1.0.7-1.0.15
      The patch  pgp

      • + +

    • 1-byte memory overwrite in resolver
      Severity: medium
      Advisory
      CVE-2021-23017
      Not vulnerable: 1.21.0+, 1.20.1+
      Vulnerable: 0.6.18-1.20.0
      The patch  pgp

      • + +

    • Excessive CPU usage in HTTP/2 with small window updates
      Severity: medium
      Advisory
      CVE-2019-9511
      Not vulnerable: 1.17.3+, 1.16.1+
      Vulnerable: 1.9.5-1.17.2

      • + +

    • Excessive CPU usage in HTTP/2 with priority changes
      Severity: low
      Advisory
      CVE-2019-9513
      Not vulnerable: 1.17.3+, 1.16.1+
      Vulnerable: 1.9.5-1.17.2

      • + +

    • Excessive memory usage in HTTP/2 with zero length headers
      Severity: low
      Advisory
      CVE-2019-9516
      Not vulnerable: 1.17.3+, 1.16.1+
      Vulnerable: 1.9.5-1.17.2

      • + +

    • Excessive memory usage in HTTP/2
      Severity: low
      Advisory
      CVE-2018-16843
      Not vulnerable: 1.15.6+, 1.14.1+
      Vulnerable: 1.9.5-1.15.5

      • + +

    • Excessive CPU usage in HTTP/2
      Severity: low
      Advisory
      CVE-2018-16844
      Not vulnerable: 1.15.6+, 1.14.1+
      Vulnerable: 1.9.5-1.15.5

      • + +

    • Memory disclosure in the ngx_http_mp4_module
      Severity: medium
      Advisory
      CVE-2018-16845
      Not vulnerable: 1.15.6+, 1.14.1+
      Vulnerable: 1.1.3-1.15.5, 1.0.7-1.0.15
      The patch  pgp

      • + +

    • Integer overflow in the range filter
      Severity: medium
      Advisory
      CVE-2017-7529
      Not vulnerable: 1.13.3+, 1.12.1+
      Vulnerable: 0.5.6-1.13.2
      The patch  pgp

      • + +

    • NULL pointer dereference while writing client request body
      Severity: medium
      Advisory
      CVE-2016-4450
      Not vulnerable: 1.11.1+, 1.10.1+
      Vulnerable: 1.3.9-1.11.0
      The patch  pgp  (for 1.9.13-1.11.0)
      The patch  pgp  (for 1.3.9-1.9.12)

      • + +

    • Invalid pointer dereference in resolver
      Severity: medium
      Advisory
      CVE-2016-0742
      Not vulnerable: 1.9.10+, 1.8.1+
      Vulnerable: 0.6.18-1.9.9

      • + +

    • Use-after-free during CNAME response processing in resolver
      Severity: medium
      Advisory
      CVE-2016-0746
      Not vulnerable: 1.9.10+, 1.8.1+
      Vulnerable: 0.6.18-1.9.9

      • + +

    • Insufficient limits of CNAME resolution in resolver
      Severity: medium
      Advisory
      CVE-2016-0747
      Not vulnerable: 1.9.10+, 1.8.1+
      Vulnerable: 0.6.18-1.9.9

      • + +

    • SSL session reuse vulnerability
      Severity: medium
      Advisory
      CVE-2014-3616
      Not vulnerable: 1.7.5+, 1.6.2+
      Vulnerable: 0.5.6-1.7.4

      • + +

    • STARTTLS command injection
      Severity: medium
      Advisory
      CVE-2014-3556
      Not vulnerable: 1.7.4+, 1.6.1+
      Vulnerable: 1.5.6-1.7.3
      The patch  pgp

      • + +

    • SPDY heap buffer overflow
      Severity: major
      Advisory
      CVE-2014-0133
      Not vulnerable: 1.5.12+, 1.4.7+
      Vulnerable: 1.3.15-1.5.11
      The patch  pgp

      • + +

    • SPDY memory corruption
      Severity: major
      Advisory
      CVE-2014-0088
      Not vulnerable: 1.5.11+
      Vulnerable: 1.5.10
      The patch  pgp

      • + +

    • Request line parsing vulnerability
      Severity: medium
      Advisory
      CVE-2013-4547
      Not vulnerable: 1.5.7+, 1.4.4+
      Vulnerable: 0.8.41-1.5.6
      The patch  pgp

      • + +

    • Memory disclosure with specially crafted HTTP backend responses
      Severity: medium
      Advisory
      CVE-2013-2070
      Not vulnerable: 1.5.0+, 1.4.1+, 1.2.9+
      Vulnerable: 1.1.4-1.2.8, 1.3.9-1.4.0
      The patch  pgp  (for 1.3.9-1.4.0)
      The patch  pgp  (for 1.1.4-1.2.8)

      • + +

    • Stack-based buffer overflow with specially crafted request
      Severity: major
      Advisory
      CVE-2013-2028
      Not vulnerable: 1.5.0+, 1.4.1+
      Vulnerable: 1.3.9-1.4.0
      The patch  pgp

      • + +

    • Vulnerabilities with Windows directory aliases
      Severity: medium
      Advisory
      CVE-2011-4963
      Not vulnerable: 1.3.1+, 1.2.1+
      Vulnerable: nginx/Windows 0.7.52-1.3.0

      • + +

    • Buffer overflow in the ngx_http_mp4_module
      Severity: major
      Advisory
      CVE-2012-2089
      Not vulnerable: 1.1.19+, 1.0.15+
      Vulnerable: 1.1.3-1.1.18, 1.0.7-1.0.14
      The patch  pgp

      • + +

    • Memory disclosure with specially crafted backend responses
      Severity: major
      Advisory
      CVE-2012-1180
      Not vulnerable: 1.1.17+, 1.0.14+
      Vulnerable: 0.1.0-1.1.16
      The patch  pgp

      • + +

    • Buffer overflow in resolver
      Severity: medium
      CVE-2011-4315
      Not vulnerable: 1.1.8+, 1.0.10+
      Vulnerable: 0.6.18-1.1.7

      • + +

    • Vulnerabilities with invalid UTF-8 sequence on Windows
      Severity: major
      CVE-2010-2266
      Not vulnerable: 0.8.41+, 0.7.67+
      Vulnerable: nginx/Windows 0.7.52-0.8.40

      • + +

    • Vulnerabilities with Windows file default stream
      Severity: major
      CVE-2010-2263
      Not vulnerable: 0.8.40+, 0.7.66+
      Vulnerable: nginx/Windows 0.7.52-0.8.39

      • + +

    • Vulnerabilities with Windows 8.3 filename pseudonyms
      Severity: major
      CORE-2010-0121
      Not vulnerable: 0.8.33+, 0.7.65+
      Vulnerable: nginx/Windows 0.7.52-0.8.32

      • + +

    • An error log data are not sanitized
      Severity: none
      CVE-2009-4487
      Not vulnerable: none
      Vulnerable: all

      • + +

    • The renegotiation vulnerability in SSL protocol
      Severity: major
      VU#120541  CVE-2009-3555
      Not vulnerable: 0.8.23+, 0.7.64+
      Vulnerable: 0.1.0-0.8.22
      The patch  pgp

      • + +

    • Directory traversal vulnerability
      Severity: minor
      CVE-2009-3898
      Not vulnerable: 0.8.17+, 0.7.63+
      Vulnerable: 0.1.0-0.8.16

      • + +

    • Buffer underflow vulnerability
      Severity: major
      VU#180065  CVE-2009-2629
      Not vulnerable: 0.8.15+, 0.7.62+, 0.6.39+, 0.5.38+
      Vulnerable: 0.1.0-0.8.14
      The patch  pgp

      • + +

    • Null pointer dereference vulnerability
      Severity: major
      CVE-2009-3896
      Not vulnerable: 0.8.14+, 0.7.62+, 0.6.39+, 0.5.38+
      Vulnerable: 0.1.0-0.8.13
      The patch  pgp

      • + +
    diff --git a/vulnerabilities/tests/test_data/nginx_v2/security_advisories.html.ABOUT b/vulnerabilities/tests/test_data/nginx_v2/security_advisories.html.ABOUT new file mode 100644 index 000000000..af2a44406 --- /dev/null +++ b/vulnerabilities/tests/test_data/nginx_v2/security_advisories.html.ABOUT @@ -0,0 +1,2 @@ +date: 2024-08-09 +download_url: https://nginx.org/en/security_advisories.html From 556e58cc3f88d38599fc37dbfd0ed30fb8c644e9 Mon Sep 17 00:00:00 2001 From: ziad hany Date: Fri, 9 Jan 2026 21:20:13 +0200 Subject: [PATCH 2/3] Update nginx to store patch data and ensure fixed_version_range is correctly assigned. Signed-off-by: ziad hany --- .../pipelines/v2_importers/nginx_importer.py | 49 ++- .../v2_importers/test_nginx_importer_v2.py | 15 +- ...ity_advisories-advisory_data-expected.json | 327 +++++++++--------- 3 files changed, 218 insertions(+), 173 deletions(-) diff --git a/vulnerabilities/pipelines/v2_importers/nginx_importer.py b/vulnerabilities/pipelines/v2_importers/nginx_importer.py index c017b5f75..33ef0f284 100644 --- a/vulnerabilities/pipelines/v2_importers/nginx_importer.py +++ b/vulnerabilities/pipelines/v2_importers/nginx_importer.py @@ -7,25 +7,28 @@ # See https://aboutcode.org for more information about nexB OSS projects. # -from typing import Iterable from typing import NamedTuple +from urllib.parse import urljoin import requests from bs4 import BeautifulSoup from packageurl import PackageURL +from univers.version_constraint import VersionConstraint +from univers.version_constraint import validate_comparators from univers.version_range import NginxVersionRange from univers.versions import InvalidVersion from vulnerabilities.importer import AdvisoryData from vulnerabilities.importer import AffectedPackageV2 +from vulnerabilities.importer import PatchData from vulnerabilities.importer import ReferenceV2 from vulnerabilities.importer import VulnerabilitySeverity from vulnerabilities.importer import logger -from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline +from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2 from vulnerabilities.severity_systems import GENERIC -class NginxImporterPipeline(VulnerableCodeBaseImporterPipeline): +class NginxImporterPipeline(VulnerableCodeBaseImporterPipelineV2): """Collect Nginx security advisories.""" pipeline_id = "nginx_importer_v2" @@ -49,7 +52,7 @@ def fetch(self): def advisories_count(self): return self.advisory_data.count("

  • ") - def collect_advisories(self) -> Iterable[AdvisoryData]: + def collect_advisories(self): """ Yield AdvisoryData from nginx security advisories HTML web page. @@ -66,6 +69,7 @@ class NginxAdvisory(NamedTuple): aliases: list summary: str severities: list + patches: list not_vulnerable: str vulnerable: str references: list @@ -78,11 +82,9 @@ def to_advisory_data(nginx_adv: NginxAdvisory) -> AdvisoryData: """ Return AdvisoryData from an NginxAdvisory tuple. """ - package_name = "nginx" - package_type = "nginx" qualifiers = {} - purl = PackageURL(type=package_type, name=package_name, qualifiers=qualifiers) + purl = PackageURL(type="nginx", name="nginx", qualifiers=qualifiers) _, _, affected_versions = nginx_adv.vulnerable.partition(":") affected_versions = affected_versions.strip() @@ -112,6 +114,28 @@ def to_advisory_data(nginx_adv: NginxAdvisory) -> AdvisoryData: affected_packages = [] if purl and affected_version_range or fixed_version_range: + try: + if affected_version_range: + validate_comparators(affected_version_range.constraints) + except ValueError as e: + affected_version_range = None + logger.error( + f"Invalid version_range affected_version_range:{affected_version_range} - error: {e}" + ) + + try: + if fixed_version_range: + fixed_version_constraints = VersionConstraint.simplify( + fixed_version_range.constraints + ) + fixed_version_range = NginxVersionRange(constraints=fixed_version_constraints) + validate_comparators(fixed_version_range.constraints) + except ValueError as e: + fixed_version_range = None + logger.error( + f"Invalid version_range fixed_version_range:{fixed_version_range} - error: {e}" + ) + affected_packages.append( AffectedPackageV2( package=purl, @@ -126,6 +150,7 @@ def to_advisory_data(nginx_adv: NginxAdvisory) -> AdvisoryData: summary=nginx_adv.summary, affected_packages=affected_packages, references_v2=nginx_adv.references, + patches=nginx_adv.patches, url="https://nginx.org/en/security_advisories.html", ) @@ -148,6 +173,7 @@ def parse_advisory_data_from_paragraph(vulnerability_info): aliases = [] summary = None severities = [] + patches = [] not_vulnerable = None vulnerable = None references = [] @@ -196,8 +222,14 @@ def parse_advisory_data_from_paragraph(vulnerability_info): references.append(ReferenceV2(reference_id=text, url=link)) elif "mailman.nginx.org" in link: references.append(ReferenceV2(url=link)) + elif "/download/patch" in link: + link = urljoin("https://nginx.org", link) + patch = PatchData( + patch_url=link, + ) + patches.append(patch) else: - link = requests.compat.urljoin("https://nginx.org", link) + link = urljoin("https://nginx.org", link) references.append(ReferenceV2(url=link)) advisory_id = aliases.pop() @@ -209,6 +241,7 @@ def parse_advisory_data_from_paragraph(vulnerability_info): not_vulnerable=not_vulnerable, vulnerable=vulnerable, references=references, + patches=patches, ) diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_nginx_importer_v2.py b/vulnerabilities/tests/pipelines/v2_importers/test_nginx_importer_v2.py index 7bf0e7977..850a84566 100644 --- a/vulnerabilities/tests/pipelines/v2_importers/test_nginx_importer_v2.py +++ b/vulnerabilities/tests/pipelines/v2_importers/test_nginx_importer_v2.py @@ -13,6 +13,7 @@ from commoncode import testcase from univers.version_range import NginxVersionRange +from vulnerabilities.importer import PatchData from vulnerabilities.importer import ReferenceV2 from vulnerabilities.importer import VulnerabilitySeverity from vulnerabilities.pipelines.v2_importers import nginx_importer @@ -120,16 +121,10 @@ def test_parse_advisory_data_from_paragraph(self): reference_type="", url="https://nvd.nist.gov/vuln/detail/CVE-2021-23017", ), - ReferenceV2( - reference_id="", - reference_type="", - url="https://nginx.org/download/patch.2021.resolver.txt", - ), - ReferenceV2( - reference_id="", - reference_type="", - url="https://nginx.org/download/patch.2021.resolver.txt.asc", - ), + ], + "patches": [ + PatchData(patch_url="https://nginx.org/download/patch.2021.resolver.txt"), + PatchData(patch_url="https://nginx.org/download/patch.2021.resolver.txt.asc"), ], } diff --git a/vulnerabilities/tests/test_data/nginx_v2/security_advisories-advisory_data-expected.json b/vulnerabilities/tests/test_data/nginx_v2/security_advisories-advisory_data-expected.json index bba65d14b..f421aa364 100644 --- a/vulnerabilities/tests/test_data/nginx_v2/security_advisories-advisory_data-expected.json +++ b/vulnerabilities/tests/test_data/nginx_v2/security_advisories-advisory_data-expected.json @@ -257,19 +257,20 @@ "reference_id": "CVE-2022-41741", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41741" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2022.mp4.txt" + "patch_url": "https://nginx.org/download/patch.2022.mp4.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2022.mp4.txt.asc" + "patch_url": "https://nginx.org/download/patch.2022.mp4.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -305,19 +306,20 @@ "reference_id": "CVE-2022-41742", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41742" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2022.mp4.txt" + "patch_url": "https://nginx.org/download/patch.2022.mp4.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2022.mp4.txt.asc" + "patch_url": "https://nginx.org/download/patch.2022.mp4.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -353,19 +355,20 @@ "reference_id": "CVE-2021-23017", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23017" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2021.resolver.txt" + "patch_url": "https://nginx.org/download/patch.2021.resolver.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2021.resolver.txt.asc" + "patch_url": "https://nginx.org/download/patch.2021.resolver.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -591,19 +594,20 @@ "reference_id": "CVE-2018-16845", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16845" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2018.mp4.txt" + "patch_url": "https://nginx.org/download/patch.2018.mp4.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2018.mp4.txt.asc" + "patch_url": "https://nginx.org/download/patch.2018.mp4.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -639,19 +643,20 @@ "reference_id": "CVE-2017-7529", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7529" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2017.ranges.txt" + "patch_url": "https://nginx.org/download/patch.2017.ranges.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2017.ranges.txt.asc" + "patch_url": "https://nginx.org/download/patch.2017.ranges.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -687,29 +692,30 @@ "reference_id": "CVE-2016-4450", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4450" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2016.write.txt" + "patch_url": "https://nginx.org/download/patch.2016.write.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2016.write.txt.asc" + "patch_url": "https://nginx.org/download/patch.2016.write.txt.asc", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2016.write2.txt" + "patch_url": "https://nginx.org/download/patch.2016.write2.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2016.write2.txt.asc" + "patch_url": "https://nginx.org/download/patch.2016.write2.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -897,19 +903,20 @@ "reference_id": "CVE-2014-3556", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3556" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2014.starttls.txt" + "patch_url": "https://nginx.org/download/patch.2014.starttls.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2014.starttls.txt.asc" + "patch_url": "https://nginx.org/download/patch.2014.starttls.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -945,19 +952,20 @@ "reference_id": "CVE-2014-0133", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0133" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2014.spdy2.txt" + "patch_url": "https://nginx.org/download/patch.2014.spdy2.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2014.spdy2.txt.asc" + "patch_url": "https://nginx.org/download/patch.2014.spdy2.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -993,19 +1001,20 @@ "reference_id": "CVE-2014-0088", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0088" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2014.spdy.txt" + "patch_url": "https://nginx.org/download/patch.2014.spdy.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2014.spdy.txt.asc" + "patch_url": "https://nginx.org/download/patch.2014.spdy.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -1041,19 +1050,20 @@ "reference_id": "CVE-2013-4547", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4547" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2013.space.txt" + "patch_url": "https://nginx.org/download/patch.2013.space.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2013.space.txt.asc" + "patch_url": "https://nginx.org/download/patch.2013.space.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -1089,29 +1099,30 @@ "reference_id": "CVE-2013-2070", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2070" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2013.chunked.txt" + "patch_url": "https://nginx.org/download/patch.2013.chunked.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2013.chunked.txt.asc" + "patch_url": "https://nginx.org/download/patch.2013.chunked.txt.asc", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2013.proxy.txt" + "patch_url": "https://nginx.org/download/patch.2013.proxy.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2013.proxy.txt.asc" + "patch_url": "https://nginx.org/download/patch.2013.proxy.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -1147,19 +1158,20 @@ "reference_id": "CVE-2013-2028", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2028" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2013.chunked.txt" + "patch_url": "https://nginx.org/download/patch.2013.chunked.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2013.chunked.txt.asc" + "patch_url": "https://nginx.org/download/patch.2013.chunked.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -1233,19 +1245,20 @@ "reference_id": "CVE-2012-2089", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2089" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2012.mp4.txt" + "patch_url": "https://nginx.org/download/patch.2012.mp4.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2012.mp4.txt.asc" + "patch_url": "https://nginx.org/download/patch.2012.mp4.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -1281,19 +1294,20 @@ "reference_id": "CVE-2012-1180", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1180" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2012.memory.txt" + "patch_url": "https://nginx.org/download/patch.2012.memory.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.2012.memory.txt.asc" + "patch_url": "https://nginx.org/download/patch.2012.memory.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -1347,7 +1361,7 @@ "subpath": "" }, "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.40", - "fixed_version_range": "vers:nginx/>=0.7.67|>=0.8.41|<0.9.0", + "fixed_version_range": "vers:nginx/>=0.7.67|<0.9.0", "introduced_by_commit_patches": [], "fixed_by_commit_patches": [] } @@ -1380,7 +1394,7 @@ "subpath": "" }, "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.39", - "fixed_version_range": "vers:nginx/>=0.7.66|>=0.8.40|<0.9.0", + "fixed_version_range": "vers:nginx/>=0.7.66|<0.9.0", "introduced_by_commit_patches": [], "fixed_by_commit_patches": [] } @@ -1413,7 +1427,7 @@ "subpath": "" }, "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.32", - "fixed_version_range": "vers:nginx/>=0.7.65|>=0.8.33|<0.9.0", + "fixed_version_range": "vers:nginx/>=0.7.65|<0.9.0", "introduced_by_commit_patches": [], "fixed_by_commit_patches": [] } @@ -1475,7 +1489,7 @@ "subpath": "" }, "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.22", - "fixed_version_range": "vers:nginx/>=0.7.64|>=0.8.23|<0.9.0", + "fixed_version_range": "vers:nginx/>=0.7.64|<0.9.0", "introduced_by_commit_patches": [], "fixed_by_commit_patches": [] } @@ -1485,19 +1499,20 @@ "reference_id": "CVE-2009-3555", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.cve-2009-3555.txt" + "patch_url": "https://nginx.org/download/patch.cve-2009-3555.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.cve-2009-3555.txt.asc" + "patch_url": "https://nginx.org/download/patch.cve-2009-3555.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -1518,7 +1533,7 @@ "subpath": "" }, "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.16", - "fixed_version_range": "vers:nginx/>=0.7.63|>=0.8.17|<0.9.0", + "fixed_version_range": "vers:nginx/>=0.7.63|<0.9.0", "introduced_by_commit_patches": [], "fixed_by_commit_patches": [] } @@ -1553,7 +1568,7 @@ "subpath": "" }, "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.14", - "fixed_version_range": "vers:nginx/>=0.5.38|>=0.6.39|<0.7.0|>=0.7.62|>=0.8.15|<0.9.0", + "fixed_version_range": "vers:nginx/>=0.5.38|<0.7.0|>=0.7.62|<0.9.0", "introduced_by_commit_patches": [], "fixed_by_commit_patches": [] } @@ -1563,19 +1578,20 @@ "reference_id": "CVE-2009-2629", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2629" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.180065.txt" + "patch_url": "https://nginx.org/download/patch.180065.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.180065.txt.asc" + "patch_url": "https://nginx.org/download/patch.180065.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], @@ -1596,7 +1612,7 @@ "subpath": "" }, "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.13", - "fixed_version_range": "vers:nginx/>=0.5.38|>=0.6.39|<0.7.0|>=0.7.62|>=0.8.14|<0.9.0", + "fixed_version_range": "vers:nginx/>=0.5.38|<0.7.0|>=0.7.62|<0.9.0", "introduced_by_commit_patches": [], "fixed_by_commit_patches": [] } @@ -1606,19 +1622,20 @@ "reference_id": "CVE-2009-3896", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3896" - }, + } + ], + "patches": [ { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.null.pointer.txt" + "patch_url": "https://nginx.org/download/patch.null.pointer.txt", + "patch_text": null, + "patch_checksum": null }, { - "reference_id": "", - "reference_type": "", - "url": "https://nginx.org/download/patch.null.pointer.txt.asc" + "patch_url": "https://nginx.org/download/patch.null.pointer.txt.asc", + "patch_text": null, + "patch_checksum": null } ], - "patches": [], "severities": [], "date_published": null, "weaknesses": [], From 6e10e0f4549b965879333f1d8b5968477bd0a6d9 Mon Sep 17 00:00:00 2001 From: ziad hany Date: Fri, 9 Jan 2026 21:39:58 +0200 Subject: [PATCH 3/3] Remove unused test file security_advisories-importer-expected.json Signed-off-by: ziad hany --- ...security_advisories-importer-expected.json | 2113 ----------------- 1 file changed, 2113 deletions(-) delete mode 100644 vulnerabilities/tests/test_data/nginx_v2/security_advisories-importer-expected.json diff --git a/vulnerabilities/tests/test_data/nginx_v2/security_advisories-importer-expected.json b/vulnerabilities/tests/test_data/nginx_v2/security_advisories-importer-expected.json deleted file mode 100644 index 9e760590f..000000000 --- a/vulnerabilities/tests/test_data/nginx_v2/security_advisories-importer-expected.json +++ /dev/null @@ -1,2113 +0,0 @@ -[ - { - "unique_content_id": "041e081a630681e36df17fc2471cd58a789dce20b54dce62c66900baceb7d771", - "summary": "Stack overflow and use-after-free in HTTP/3", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.27.0", - "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.26.1", - "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31079", - "severities": [], - "reference_id": "CVE-2024-31079", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "044f1ec3ed59bdbafada7e40b37f7a3cbd0afc31c67aac002251f7ed56e756db", - "summary": "Vulnerabilities with Windows directory aliases", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "os=windows" - }, - "fixed_version": "1.3.1", - "affected_version_range": "vers:nginx/>=0.7.52|<=1.3.0" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "os=windows" - }, - "fixed_version": "1.2.1", - "affected_version_range": "vers:nginx/>=0.7.52|<=1.3.0" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2012/000086.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4963", - "severities": [], - "reference_id": "CVE-2011-4963", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "04ec1beb69b3712ef90b5975ff13d5d9ece8dc4c31e2fbd033e1e7be98f889ed", - "summary": "SPDY heap buffer overflow", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.5.12", - "affected_version_range": "vers:nginx/>=1.3.15|<=1.5.11" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.4.7", - "affected_version_range": "vers:nginx/>=1.3.15|<=1.5.11" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0133", - "severities": [], - "reference_id": "CVE-2014-0133", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2014.spdy2.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2014.spdy2.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "1000911200f3a7046464251c86a45451e6d049b88cb3e5edc6d009a1867418f7", - "summary": "An error log data are not sanitized", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": null, - "affected_version_range": "vers:nginx/*" - } - ], - "references": [ - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-4487", - "severities": [], - "reference_id": "CVE-2009-4487", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "37a3e3a4d916420d151462c0e761db15f3dfb81ead3e3fa18e84ef4a93151d4c", - "summary": "Excessive CPU usage in HTTP/2", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.15.6", - "affected_version_range": "vers:nginx/>=1.9.5|<=1.15.5" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.14.1", - "affected_version_range": "vers:nginx/>=1.9.5|<=1.15.5" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html", - "severities": [ - { - "value": "low", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16844", - "severities": [], - "reference_id": "CVE-2018-16844", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "3db919e67e7061f392f575e7ac88884850c686c133ebdd4f58dfddb6196e15bf", - "summary": "NULL pointer dereference while writing client request body", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.11.1", - "affected_version_range": "vers:nginx/>=1.3.9|<=1.11.0" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.10.1", - "affected_version_range": "vers:nginx/>=1.3.9|<=1.11.0" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4450", - "severities": [], - "reference_id": "CVE-2016-4450", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2016.write.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2016.write.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2016.write2.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2016.write2.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "3f9a96e88c2c8cb3ad5852621091d686b420e0fa25921a9f10f330e02e7f47d6", - "summary": "Insufficient limits of CNAME resolution in resolver", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.9.10", - "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.8.1", - "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2016/000169.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0747", - "severities": [], - "reference_id": "CVE-2016-0747", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "4590b8b17cfdf0314dffd75372ba416fd8ced35cdeb673aabe9d2ed5b19dab3d", - "summary": "Memory disclosure with specially crafted HTTP backend responses", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.5.0", - "affected_version_range": "vers:nginx/>=1.1.4|<=1.2.8|>=1.3.9|<=1.4.0" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.4.1", - "affected_version_range": "vers:nginx/>=1.1.4|<=1.2.8|>=1.3.9|<=1.4.0" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.2.9", - "affected_version_range": "vers:nginx/>=1.1.4|<=1.2.8|>=1.3.9|<=1.4.0" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2070", - "severities": [], - "reference_id": "CVE-2013-2070", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2013.chunked.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2013.chunked.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2013.proxy.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2013.proxy.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "516f2188bdac91f9372ec3e200c4e754179f61fb8bf3a4613d97ebb569e46831", - "summary": "Memory corruption in the ngx_http_mp4_module", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.23.2", - "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.23.1" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.22.1", - "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.23.1" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2022/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41741", - "severities": [], - "reference_id": "CVE-2022-41741", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2022.mp4.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2022.mp4.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "60c648561ee11d1ece306182ff608e5d66aeb748c91c4c91d79aa4f7967f2149", - "summary": "Integer overflow in the range filter", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.13.3", - "affected_version_range": "vers:nginx/>=0.5.6|<=1.13.2" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.12.1", - "affected_version_range": "vers:nginx/>=0.5.6|<=1.13.2" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7529", - "severities": [], - "reference_id": "CVE-2017-7529", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2017.ranges.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2017.ranges.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "68957cdbe4f38386944b07c2f3138ad59f02df490dab487d8709f8642a395496", - "summary": "SSL session reuse vulnerability", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.7.5", - "affected_version_range": "vers:nginx/>=0.5.6|<=1.7.4" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.6.2", - "affected_version_range": "vers:nginx/>=0.5.6|<=1.7.4" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3616", - "severities": [], - "reference_id": "CVE-2014-3616", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "6dfd4b51bcdf1ee31bfdd97ee6370422b70533c1db972de69cdc2e281a4bb90a", - "summary": "Stack-based buffer overflow with specially crafted request", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.5.0", - "affected_version_range": "vers:nginx/>=1.3.9|<=1.4.0" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.4.1", - "affected_version_range": "vers:nginx/>=1.3.9|<=1.4.0" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2028", - "severities": [], - "reference_id": "CVE-2013-2028", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2013.chunked.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2013.chunked.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "702a79bf8a92e5ce967d5d540f03d225e05906df0cb641c5538e0e8b8045aa89", - "summary": "NULL pointer dereference in HTTP/3", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.25.4", - "affected_version_range": "vers:nginx/1.25.3" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/NW6MNW34VZ6HDIHH5YFBIJYZJN7FGNAV.html", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24989", - "severities": [], - "reference_id": "CVE-2024-24989", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "71ee7b435e15272f8531b568d58f82e33cfb3881f3ee80b5cae1788183f91827", - "summary": "Use-after-free in HTTP/3", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.25.4", - "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.3" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/NW6MNW34VZ6HDIHH5YFBIJYZJN7FGNAV.html", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24990", - "severities": [], - "reference_id": "CVE-2024-24990", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "743193c823a19a8eea1eeb8bb5ea6c3314ca6350b8d6ba0bcf2ac29d2e99ab11", - "summary": "Memory disclosure in the ngx_http_mp4_module", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.23.2", - "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.23.1" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.22.1", - "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.23.1" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2022/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41742", - "severities": [], - "reference_id": "CVE-2022-41742", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2022.mp4.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2022.mp4.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "74d2403b1a2d875ba8411a315d217fd704642a39c3e9392bd2b81cd4e4cca8a8", - "summary": "Use-after-free during CNAME response processing in resolver", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.9.10", - "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.8.1", - "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2016/000169.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0746", - "severities": [], - "reference_id": "CVE-2016-0746", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "79d90dc8b83d6267a92f31d11be14dc27e619f6edaa996935bf4d0d33b70e575", - "summary": "Buffer overflow in resolver", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.1.8", - "affected_version_range": "vers:nginx/>=0.6.18|<=1.1.7" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.0.10", - "affected_version_range": "vers:nginx/>=0.6.18|<=1.1.7" - } - ], - "references": [ - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4315", - "severities": [], - "reference_id": "CVE-2011-4315", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "7dd1dec4f019ce4e044852324feb9444dbc965f26c98025bc28f50294251c5c0", - "summary": "Excessive CPU usage in HTTP/2 with small window updates", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.17.3", - "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.16.1", - "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511", - "severities": [], - "reference_id": "CVE-2019-9511", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "8f54462a45ac49635f660b6fb755d5e05cdbc34ebaa565e38ca20c522579ce7f", - "summary": "Vulnerabilities with Windows 8.3 filename pseudonyms", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "os=windows" - }, - "fixed_version": "0.8.33", - "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.32" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "os=windows" - }, - "fixed_version": "0.7.65", - "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.32" - } - ], - "references": [], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "92ce767b8cea36271d33c119cb6f706f64f5aba7335cca6791eca90a87f48de1", - "summary": "Vulnerabilities with Windows file default stream", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "os=windows" - }, - "fixed_version": "0.8.40", - "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.39" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "os=windows" - }, - "fixed_version": "0.7.66", - "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.39" - } - ], - "references": [ - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2263", - "severities": [], - "reference_id": "CVE-2010-2263", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "93ffd507f57f7b01de0bc7cff479daba1c120e28d45b60a14f8fa98bdf597f4a", - "summary": "NULL pointer dereference in HTTP/3", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.27.0", - "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.26.1", - "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35200", - "severities": [], - "reference_id": "CVE-2024-35200", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "95dab77a3ea69d6d0bac6b48719f4e1d5435af7f1f1a0c1d62aa343bed5e3f32", - "summary": "Buffer overwrite in HTTP/3", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.27.0", - "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.26.1", - "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32760", - "severities": [], - "reference_id": "CVE-2024-32760", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "9a3699853c72ab1e08f226c4f09f669b6e8b6f0431fa4e78549cd87d8466e0f7", - "summary": "Vulnerabilities with invalid UTF-8 sequence on Windows", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "os=windows" - }, - "fixed_version": "0.8.41", - "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.40" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "os=windows" - }, - "fixed_version": "0.7.67", - "affected_version_range": "vers:nginx/>=0.7.52|<=0.8.40" - } - ], - "references": [ - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2266", - "severities": [], - "reference_id": "CVE-2010-2266", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "9bb829ca8d94430d97ea8bb4d67cddb9f41140a7550e5dced08918f35f1dc5f1", - "summary": "Memory disclosure with specially crafted backend responses", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.1.17", - "affected_version_range": "vers:nginx/>=0.1.0|<=1.1.16" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.0.14", - "affected_version_range": "vers:nginx/>=0.1.0|<=1.1.16" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2012/000076.html", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1180", - "severities": [], - "reference_id": "CVE-2012-1180", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2012.memory.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2012.memory.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "9d373a60d30d98c6a84d134e0f1c1880b4e82b795a9175c51b172c9d988633c4", - "summary": "Buffer overflow in the ngx_http_mp4_module", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.1.19", - "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.14|>=1.1.3|<=1.1.18" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.0.15", - "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.14|>=1.1.3|<=1.1.18" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2012/000080.html", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2089", - "severities": [], - "reference_id": "CVE-2012-2089", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2012.mp4.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2012.mp4.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "b011769b7166e6e3a5b0dabd560be9fec2b4963a0c14c8934b394504041dd801", - "summary": "Request line parsing vulnerability", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.5.7", - "affected_version_range": "vers:nginx/>=0.8.41|<=1.5.6" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.4.4", - "affected_version_range": "vers:nginx/>=0.8.41|<=1.5.6" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4547", - "severities": [], - "reference_id": "CVE-2013-4547", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2013.space.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2013.space.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "b141e948fdfecc52a52fd4111fff37b57216a7f8fd1421df478db15e620a4571", - "summary": "1-byte memory overwrite in resolver", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.21.0", - "affected_version_range": "vers:nginx/>=0.6.18|<=1.20.0" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.20.1", - "affected_version_range": "vers:nginx/>=0.6.18|<=1.20.0" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23017", - "severities": [], - "reference_id": "CVE-2021-23017", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2021.resolver.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2021.resolver.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "b97accb1929bfc3181c61e41c2163f051cac435ea3671b05ebf708ac24c53f15", - "summary": "Memory disclosure in HTTP/3", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.27.0", - "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.26.1", - "affected_version_range": "vers:nginx/>=1.25.0|<=1.25.5|1.26.0" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34161", - "severities": [], - "reference_id": "CVE-2024-34161", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "cc6ff6eaba227bf65c93964fdf2731b75ff1597638283ae950e3941cd4932632", - "summary": "Invalid pointer dereference in resolver", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.9.10", - "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.8.1", - "affected_version_range": "vers:nginx/>=0.6.18|<=1.9.9" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2016/000169.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0742", - "severities": [], - "reference_id": "CVE-2016-0742", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "de7a819f87c93c708251b734406d2b9916fce494ab3987be40ca37426b0c2044", - "summary": "Buffer underflow vulnerability", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "0.8.15", - "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.14" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "0.7.62", - "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.14" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "0.6.39", - "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.14" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "0.5.38", - "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.14" - } - ], - "references": [ - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2629", - "severities": [], - "reference_id": "CVE-2009-2629", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.180065.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.180065.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "e3af8c6275036d10bb0d3b20807288808bcb24ff1fad37f09757d381f90fc862", - "summary": "STARTTLS command injection", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.7.4", - "affected_version_range": "vers:nginx/>=1.5.6|<=1.7.3" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.6.1", - "affected_version_range": "vers:nginx/>=1.5.6|<=1.7.3" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3556", - "severities": [], - "reference_id": "CVE-2014-3556", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2014.starttls.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2014.starttls.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "e4731a12d4f385fc4d0774714c3e79dc98b8ec9c1c648120e0aa196a0d165066", - "summary": "Excessive memory usage in HTTP/2", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.15.6", - "affected_version_range": "vers:nginx/>=1.9.5|<=1.15.5" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.14.1", - "affected_version_range": "vers:nginx/>=1.9.5|<=1.15.5" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html", - "severities": [ - { - "value": "low", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16843", - "severities": [], - "reference_id": "CVE-2018-16843", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "e9adfcf58bd2f302fd81436744937e8ea8bae7e1d7133d54cc4097bb94e68656", - "summary": "Directory traversal vulnerability", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "0.8.17", - "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.16" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "0.7.63", - "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.16" - } - ], - "references": [ - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3898", - "severities": [], - "reference_id": "CVE-2009-3898", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "ef80f06b34224fbde70a6a359ccf297c0ec2bfae9148973d3689a1c2acb888ad", - "summary": "Memory disclosure in the ngx_http_mp4_module", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.15.6", - "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.15.5" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.14.1", - "affected_version_range": "vers:nginx/>=1.0.7|<=1.0.15|>=1.1.3|<=1.15.5" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html", - "severities": [ - { - "value": "medium", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16845", - "severities": [], - "reference_id": "CVE-2018-16845", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2018.mp4.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2018.mp4.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "f52c1d6763864aa721f3c5d6fa201712a04cea0851085e8129014e56ba7b4bbe", - "summary": "Excessive CPU usage in HTTP/2 with priority changes", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.17.3", - "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.16.1", - "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html", - "severities": [ - { - "value": "low", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9513", - "severities": [], - "reference_id": "CVE-2019-9513", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "f9a0149f8d0c6afe588cc7c0a170e45c828219c342b9d7ca12d0e830c68b752a", - "summary": "SPDY memory corruption", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.5.11", - "affected_version_range": "vers:nginx/1.5.10" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2014/000132.html", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0088", - "severities": [], - "reference_id": "CVE-2014-0088", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2014.spdy.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.2014.spdy.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "fc72f81267258996f729b98893890074ad6155adcc3352d30a04765977836995", - "summary": "The renegotiation vulnerability in SSL protocol", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "0.8.23", - "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.22" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "0.7.64", - "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.22" - } - ], - "references": [ - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555", - "severities": [], - "reference_id": "CVE-2009-3555", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.cve-2009-3555.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.cve-2009-3555.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "fcb04608ea5442dbf70575273074915efc16a95be9d8c84d5f3146f6917b3fb1", - "summary": "Excessive memory usage in HTTP/2 with zero length headers", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.17.3", - "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "1.16.1", - "affected_version_range": "vers:nginx/>=1.9.5|<=1.17.2" - } - ], - "references": [ - { - "url": "https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html", - "severities": [ - { - "value": "low", - "system": "generic_textual", - "scoring_elements": "" - } - ], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9516", - "severities": [], - "reference_id": "CVE-2019-9516", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - }, - { - "unique_content_id": "fcb0ba0ce66c1f1cf3b4213fd6e9108ab9965d633582d3e9c070a792e02d9876", - "summary": "Null pointer dereference vulnerability", - "affected_packages": [ - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "0.8.14", - "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.13" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "0.7.62", - "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.13" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "0.6.39", - "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.13" - }, - { - "package": { - "name": "nginx", - "type": "nginx", - "subpath": "", - "version": "", - "namespace": "", - "qualifiers": "" - }, - "fixed_version": "0.5.38", - "affected_version_range": "vers:nginx/>=0.1.0|<=0.8.13" - } - ], - "references": [ - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3896", - "severities": [], - "reference_id": "CVE-2009-3896", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.null.pointer.txt", - "severities": [], - "reference_id": "", - "reference_type": "" - }, - { - "url": "https://nginx.org/download/patch.null.pointer.txt.asc", - "severities": [], - "reference_id": "", - "reference_type": "" - } - ], - "date_published": null, - "weaknesses": [] - } -] \ No newline at end of file