MidnightBSD

Advisories for openresty

CVE-2018-9230 HIGH

In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access restrictions or interfere with certain Web Application Firewall (ngx_lua_waf or X-WAF) products. NOTE: the vendor has reported that 100 parameters is an intentional default setting, but is adjustable within the API. The vendor's position is that a security-relevant misuse of the API by a WAF product is a vulnerability in the WAF product, not a vulnerability in OpenResty

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
openresty openresty *
CVE-2020-11724 MEDIUM

An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,

Products Affected

Vendor Product Version
debian debian_linux 9.0
openresty openresty *
debian debian_linux 10.0
CVE-2020-36309 MEDIUM

ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
openresty lua-nginx-module *
CVE-2021-23017 MEDIUM

A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L 2.2 5.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-193,CWE-193,

Products Affected

Vendor Product Version
f5 nginx *
oracle enterprise_session_border_controller 8.4
oracle goldengate *
oracle communications_session_border_controller 8.4
oracle enterprise_telephony_fraud_monitor 4.3
oracle blockchain_platform *
oracle communications_control_plane_monitor 4.2
netapp ontap_select_deploy_administration_utility -
oracle communications_control_plane_monitor 3.4
oracle enterprise_telephony_fraud_monitor 3.4
oracle communications_control_plane_monitor 4.4
oracle communications_operations_monitor 4.3
fedoraproject fedora 34
oracle communications_session_border_controller 9.0
oracle enterprise_telephony_fraud_monitor 4.2
oracle enterprise_communications_broker 3.3.0
openresty openresty *
oracle communications_operations_monitor 4.2
oracle communications_operations_monitor 4.4
oracle communications_fraud_monitor *
oracle enterprise_session_border_controller 9.0
fedoraproject fedora 33
oracle communications_control_plane_monitor 4.3
oracle enterprise_telephony_fraud_monitor 4.4
oracle communications_operations_monitor 3.4
CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
grpc grpc 1.57.0
redhat run_once_duration_override_operator -
projectcontour contour *
fedoraproject fedora 38
redhat openshift_pipelines -
redhat satellite 6.0
cisco ios_xr *
f5 big-ip_fraud_protection_service 17.1.0
redhat network_observability_operator -
debian debian_linux 10.0
f5 big-ip_advanced_firewall_manager *
redhat openshift_distributed_tracing -
microsoft windows_10_22h2 *
microsoft windows_server_2019 -
f5 big-ip_local_traffic_manager 17.1.0
redhat certification_for_red_hat_enterprise_linux 8.0
redhat jboss_fuse 7.0.0
redhat quay 3.0.0
f5 big-ip_advanced_firewall_manager 17.1.0
redhat openstack_platform 17.1
netty netty *
cisco firepower_threat_defense *
redhat openshift_api_for_data_protection -
facebook proxygen *
microsoft windows_10_21h2 *
openresty openresty *
cisco secure_dynamic_attributes_connector *
redhat openshift_dev_spaces -
golang go *
microsoft windows_server_2022 -
f5 nginx_plus *
f5 big-ip_analytics *
f5 big-ip_advanced_web_application_firewall *
cisco ios_xe *
cisco nx-os *
f5 big-ip_local_traffic_manager *
cisco telepresence_video_communication_server *
cisco unified_contact_center_enterprise_-_live_data_server *
microsoft cbl-mariner *
apache apisix *
cisco ultra_cloud_core_-_policy_control_function 2024.01.0
fedoraproject fedora 37
linecorp armeria *
istio istio *
microsoft windows_11_21h2 *
envoyproxy envoy 1.27.0
microsoft visual_studio_2022 *
redhat ansible_automation_platform 2.0
netapp astra_control_center -
redhat jboss_enterprise_application_platform 7.0.0
linkerd linkerd 2.14.1
varnish_cache_project varnish_cache *
linkerd linkerd *
f5 nginx_plus r29
redhat ceph_storage 5.0
redhat decision_manager 7.0
f5 big-ip_ddos_hybrid_defender *
f5 big-ip_next 20.0.1
f5 nginx *
redhat logging_subsystem_for_red_hat_openshift -
f5 big-ip_webaccelerator 17.1.0
redhat jboss_a-mq_streams -
envoyproxy envoy 1.24.10
f5 big-ip_domain_name_system *
f5 big-ip_ssl_orchestrator *
grpc grpc *
redhat node_healthcheck_operator -
f5 big-ip_application_security_manager 17.1.0
f5 nginx_ingress_controller *
microsoft windows_10_1809 *
f5 big-ip_access_policy_manager 17.1.0
apple swiftnio_http/2 *
redhat openshift_gitops -
cisco expressway *
f5 big-ip_link_controller 17.1.0
cisco prime_network_registrar *
apache tomcat 11.0.0
redhat openshift_service_mesh 2.0
redhat cost_management -
dena h2o *
f5 big-ip_websafe *
microsoft azure_kubernetes_service *
apache traffic_server *
f5 big-ip_ssl_orchestrator 17.1.0
golang http2 *
f5 big-ip_carrier-grade_nat *
amazon opensearch_data_prepper *
cisco iot_field_network_director *
redhat openshift_developer_tools_and_services -
redhat jboss_enterprise_application_platform 6.0.0
microsoft .net *
redhat single_sign-on 7.0
f5 big-ip_domain_name_system 17.1.0
nodejs node.js *
cisco crosswork_data_gateway 5.0
golang networking *
cisco ultra_cloud_core_-_session_management_function *
redhat fence_agents_remediation_operator -
cisco business_process_automation *
redhat openshift_virtualization 4
konghq kong_gateway *
cisco unified_attendant_console_advanced -
traefik traefik 3.0.0
traefik traefik *
nghttp2 nghttp2 *
f5 big-ip_application_acceleration_manager *
f5 big-ip_analytics 17.1.0
linkerd linkerd 2.13.0
redhat migration_toolkit_for_containers -
redhat jboss_a-mq 7
redhat migration_toolkit_for_virtualization -
f5 big-ip_ddos_hybrid_defender 17.1.0
redhat enterprise_linux 8.0
apache solr *
f5 big-ip_policy_enforcement_manager 17.1.0
cisco secure_web_appliance_firmware *
f5 big-ip_application_visibility_and_reporting 17.1.0
redhat enterprise_linux 6.0
redhat advanced_cluster_security 3.0
microsoft windows_11_22h2 *
linkerd linkerd 2.13.1
redhat integration_service_registry -
microsoft windows_10_1607 *
redhat openshift_data_science -
redhat web_terminal -
debian debian_linux 12.0
redhat cert-manager_operator_for_red_hat_openshift -
f5 big-ip_access_policy_manager *
cisco unified_contact_center_enterprise -
cisco crosswork_situation_manager -
f5 big-ip_webaccelerator *
redhat build_of_quarkus -
redhat jboss_fuse 6.0.0
cisco ultra_cloud_core_-_policy_control_function *
f5 big-ip_application_security_manager *
kazu-yamamoto http2 *
redhat 3scale_api_management_platform 2.0
f5 big-ip_advanced_web_application_firewall 17.1.0
cisco crosswork_zero_touch_provisioning *
f5 big-ip_policy_enforcement_manager *
f5 big-ip_link_controller *
f5 big-ip_carrier-grade_nat 17.1.0
cisco fog_director *
redhat node_maintenance_operator -
redhat service_interconnect 1.0
cisco prime_access_registrar *
ietf http 2.0
envoyproxy envoy 1.25.9
f5 nginx_plus r30
redhat support_for_spring_boot -
debian debian_linux 11.0
redhat enterprise_linux 9.0
f5 big-ip_application_acceleration_manager 17.1.0
redhat process_automation 7.0
cisco data_center_network_manager -
redhat integration_camel_for_spring_boot -
f5 big-ip_application_visibility_and_reporting *
redhat certification_for_red_hat_enterprise_linux 9.0
cisco enterprise_chat_and_email -
cisco unified_contact_center_domain_manager -
redhat machine_deletion_remediation_operator -
cisco crosswork_data_gateway *
redhat openshift_sandboxed_containers -
f5 big-ip_global_traffic_manager *
redhat migration_toolkit_for_applications 6.0
cisco prime_cable_provisioning *
cisco ultra_cloud_core_-_serving_gateway_function *
cisco connected_mobile_experiences *
cisco unified_contact_center_management_portal -
microsoft windows_server_2016 -
redhat advanced_cluster_security 4.0
redhat self_node_remediation_operator -
akka http_server *
redhat build_of_optaplanner 8.0
jenkins jenkins *
cisco prime_infrastructure *
redhat service_telemetry_framework 1.5
redhat openshift_container_platform 4.0
redhat openstack_platform 16.2
redhat openshift -
redhat openstack_platform 16.1
redhat openshift_secondary_scheduler_operator -
envoyproxy envoy 1.26.4
redhat integration_camel_k -
redhat advanced_cluster_management_for_kubernetes 2.0
f5 big-ip_global_traffic_manager 17.1.0
linkerd linkerd 2.14.0
redhat openshift_container_platform_assisted_installer -
f5 big-ip_websafe 17.1.0
netapp oncommand_insight -
eclipse jetty *
redhat jboss_data_grid 7.0.0
cisco secure_malware_analytics *
f5 big-ip_fraud_protection_service *
redhat cryostat 2.0
redhat jboss_core_services -
apache tomcat *
microsoft asp.net_core *
redhat openshift_serverless -
f5 big-ip_next_service_proxy_for_kubernetes *
caddyserver caddy *
CVE-2024-33452

An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L 2.2 5.5

Products Affected

Vendor Product Version
openresty lua-nginx-module *
CVE-2024-39702

In lj_str_hash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in the openresty/luajit2 GitHub repository. The LuaJIT/LuaJIT repository. is unaffected.

Products Affected

Vendor Product Version
openresty openresty *
openresty openresty 1.25.3.1