Vulnerability Description
src/http/ngx_http_parse.c in nginx (aka Engine X) 0.1.0 through 0.4.14, 0.5.x before 0.5.38, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.14 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a long URI.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| F5 | Nginx | 0.1.0 |
| Nginx | Nginx | 0.6.1516 |
Related Weaknesses (CWE)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552035Exploit
- http://marc.info/?l=nginx&m=125692080328141&w=2
- http://secunia.com/advisories/48577
- http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3.diff.g
- http://security.gentoo.org/glsa/glsa-201203-22.xml
- http://sysoev.ru/nginx/patch.null.pointer.txtPatch
- http://www.debian.org/security/2009/dsa-1920
- http://www.openwall.com/lists/oss-security/2009/11/20/1Patch
- http://www.openwall.com/lists/oss-security/2009/11/20/6Patch
- http://www.openwall.com/lists/oss-security/2009/11/23/10Patch
- http://www.securityfocus.com/bid/36839ExploitPatch
- https://bugzilla.redhat.com/show_bug.cgi?id=539565Patch
- https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.h
- https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.h
- https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.h
FAQ
What is CVE-2009-3896?
CVE-2009-3896 is a vulnerability with a CVSS score of 5.0 (MEDIUM). src/http/ngx_http_parse.c in nginx (aka Engine X) 0.1.0 through 0.4.14, 0.5.x before 0.5.38, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.14 allows remote attackers to cause a denial...
How severe is CVE-2009-3896?
CVE-2009-3896 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-3896?
Check the references section above for vendor advisories and patch information. Affected products include: F5 Nginx, Nginx Nginx.