Description

A heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request. The problem affects nginx compiled with the ngx_http_spdy_module module (which is not compiled by default) and without --with-debug configure option, if the "spdy" option of the "listen" directive is used in a configuration file.

Remediation

Upgrade nginx to the latest version or apply the patch provided by the vendor.

References

nginx security advisory (CVE-2014-0133)

nginx patch

Related Vulnerabilities

MovableType remote code execution

WordPress XML-RPC authentication brute force

ASP.NET Deny missing from authorization rule on location

Web Cache Poisoning DoS (for javascript)

WordPress default administrator account

Severity

High

Classification

CVE-2014-0133 CWE-122 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Buffer Overflow Configuration