NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_, $arg_, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
0.7.12-20.8.2-1ubuntu10.8.9-10.8.9-1build10.8.9-1ubuntu10.9.1-1ubuntu10.9.1-1ubuntu20.9.1-1ubuntu20.9.1-1ubuntu30.9.4-10.9.4-1build10.9.4-1build20.9.4-1~build1Exploitability
AV:NAC:HAT:PPR:NUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:NCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N