Vulnerability Details CVE-2013-2070
http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.089
EPSS Ranking 92.1%
CVSS Severity
CVSS v2 Score 5.8
References
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105950.html
- http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html
- http://nginx.org/download/patch.2013.proxy.txt
- http://seclists.org/oss-sec/2013/q2/291
- http://secunia.com/advisories/55181
- http://security.gentoo.org/glsa/glsa-201310-04.xml
- http://www.debian.org/security/2013/dsa-2721
- http://www.openwall.com/lists/oss-security/2013/05/13/3
- http://www.securityfocus.com/bid/59824
- https://bugzilla.redhat.com/show_bug.cgi?id=962525
- https://exchange.xforce.ibmcloud.com/vulnerabilities/84172
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105950.html
- http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html
- http://nginx.org/download/patch.2013.proxy.txt
- http://seclists.org/oss-sec/2013/q2/291
- http://secunia.com/advisories/55181
- http://security.gentoo.org/glsa/glsa-201310-04.xml
- http://www.debian.org/security/2013/dsa-2721
- http://www.openwall.com/lists/oss-security/2013/05/13/3
- http://www.securityfocus.com/bid/59824
- https://bugzilla.redhat.com/show_bug.cgi?id=962525
- https://exchange.xforce.ibmcloud.com/vulnerabilities/84172
Products affected by CVE-2013-2070
-
cpe:2.3:a:f5:nginx:1.1.10
-
cpe:2.3:a:f5:nginx:1.1.11
-
cpe:2.3:a:f5:nginx:1.1.12
-
cpe:2.3:a:f5:nginx:1.1.13
-
cpe:2.3:a:f5:nginx:1.1.14
-
cpe:2.3:a:f5:nginx:1.1.15
-
cpe:2.3:a:f5:nginx:1.1.16
-
cpe:2.3:a:f5:nginx:1.1.17
-
cpe:2.3:a:f5:nginx:1.1.18
-
cpe:2.3:a:f5:nginx:1.1.19
-
cpe:2.3:a:f5:nginx:1.1.4
-
cpe:2.3:a:f5:nginx:1.1.5
-
cpe:2.3:a:f5:nginx:1.1.6
-
cpe:2.3:a:f5:nginx:1.1.7
-
cpe:2.3:a:f5:nginx:1.1.8
-
cpe:2.3:a:f5:nginx:1.1.9
-
cpe:2.3:a:f5:nginx:1.2.0
-
cpe:2.3:a:f5:nginx:1.2.1
-
cpe:2.3:a:f5:nginx:1.2.2
-
cpe:2.3:a:f5:nginx:1.2.3
-
cpe:2.3:a:f5:nginx:1.2.4
-
cpe:2.3:a:f5:nginx:1.2.5
-
cpe:2.3:a:f5:nginx:1.2.6
-
cpe:2.3:a:f5:nginx:1.2.7
-
cpe:2.3:a:f5:nginx:1.2.8
-
cpe:2.3:a:f5:nginx:1.3.10
-
cpe:2.3:a:f5:nginx:1.3.11
-
cpe:2.3:a:f5:nginx:1.3.12
-
cpe:2.3:a:f5:nginx:1.3.13
-
cpe:2.3:a:f5:nginx:1.3.14
-
cpe:2.3:a:f5:nginx:1.3.15
-
cpe:2.3:a:f5:nginx:1.3.16
-
cpe:2.3:a:f5:nginx:1.3.9
-
cpe:2.3:a:f5:nginx:1.4.0
-
cpe:2.3:o:debian:debian_linux:6.0
-
cpe:2.3:o:debian:debian_linux:7.0