CVE-2009-2629 - OpenCVE

Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
F5	Nginx
Debian	Debian Linux
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:a:f5:nginx::::::::
	cpe:2.3:a:f5:nginx::::::::
	cpe:2.3:a:f5:nginx::::::::
	cpe:2.3:a:f5:nginx::::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:4.0:::::::*
	cpe:2.3:o:debian:debian_linux:5.0:::::::*
	cpe:2.3:o:debian:debian_linux:6.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:fedoraproject:fedora:10:::::::*
	cpe:2.3:o:fedoraproject:fedora:11:::::::*
	cpe:2.3:o:fedoraproject:fedora:12:::::::*

References

Link	Resource
http://nginx.net/CHANGES	Release Notes Vendor Advisory
http://nginx.net/CHANGES-0.5	Release Notes Vendor Advisory
http://nginx.net/CHANGES-0.6	Release Notes Vendor Advisory
http://nginx.net/CHANGES-0.7	Release Notes Vendor Advisory
http://sysoev.ru/nginx/patch.180065.txt	Broken Link
http://www.debian.org/security/2009/dsa-1884	Third Party Advisory
http://www.kb.cert.org/vuls/id/180065	Third Party Advisory US Government Resource
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html	Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html	Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: certcc

Published: 2009-09-15T22:00:00

Updated: 2009-12-17T10:00:00

Reserved: 2009-07-28T00:00:00

Link: CVE-2009-2629

JSON object: View

NVD Information

Status : Analyzed

Published: 2009-09-15T22:30:00.233

Modified: 2021-11-10T15:52:54.030

Link: CVE-2009-2629

JSON object: View

Redhat Information

No data.

CWE

CWE-787

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-09-14T00:00:00", "descriptions": [{"lang": "en", "value": "Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2009-12-17T10:00:00", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "VU#180065", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/180065"}, {"name": "FEDORA-2009-12750", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://nginx.net/CHANGES-0.7"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://nginx.net/CHANGES"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sysoev.ru/nginx/patch.180065.txt"}, {"name": "DSA-1884", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2009/dsa-1884"}, {"name": "FEDORA-2009-12775", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html"}, {"name": "FEDORA-2009-12782", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://nginx.net/CHANGES-0.5"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://nginx.net/CHANGES-0.6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2009-2629", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "VU#180065", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/180065"}, {"name": "FEDORA-2009-12750", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html"}, {"name": "http://nginx.net/CHANGES-0.7", "refsource": "CONFIRM", "url": "http://nginx.net/CHANGES-0.7"}, {"name": "http://nginx.net/CHANGES", "refsource": "CONFIRM", "url": "http://nginx.net/CHANGES"}, {"name": "http://sysoev.ru/nginx/patch.180065.txt", "refsource": "CONFIRM", "url": "http://sysoev.ru/nginx/patch.180065.txt"}, {"name": "DSA-1884", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2009/dsa-1884"}, {"name": "FEDORA-2009-12775", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html"}, {"name": "FEDORA-2009-12782", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html"}, {"name": "http://nginx.net/CHANGES-0.5", "refsource": "CONFIRM", "url": "http://nginx.net/CHANGES-0.5"}, {"name": "http://nginx.net/CHANGES-0.6", "refsource": "CONFIRM", "url": "http://nginx.net/CHANGES-0.6"}]}}}}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2009-2629", "datePublished": "2009-09-15T22:00:00", "dateReserved": "2009-07-28T00:00:00", "dateUpdated": "2009-12-17T10:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0DE2A3E-F210-4B55-900A-13C309891E3E", "versionEndExcluding": "0.5.38", "versionStartIncluding": "0.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*", "matchCriteriaId": "692B1E17-4FB8-484E-85D2-4E90641268F5", "versionEndExcluding": "0.6.39", "versionStartIncluding": "0.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*", "matchCriteriaId": "587F3642-4CB9-4D61-A5C9-55D7D172D96D", "versionEndExcluding": "0.7.62", "versionStartIncluding": "0.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*", "matchCriteriaId": "93F18982-44F0-4A93-9A6A-D857E1577A5B", "versionEndExcluding": "0.8.15", "versionStartIncluding": "0.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "0F92AB32-E7DE-43F4-B877-1F41FA162EC7", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "8C757774-08E7-40AA-B532-6F705C8F7639", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*", "matchCriteriaId": "7000D33B-F3C7-43E8-8FC7-9B97AADC3E12", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*", "matchCriteriaId": "B3BB5EDB-520B-4DEF-B06E-65CA13152824", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:12:*:*:*:*:*:*:*", "matchCriteriaId": "E44669D7-6C1E-4844-B78A-73E253A7CC17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests."}, {"lang": "es", "value": "Desbordamiento de b\u00fafer inferior en src/http/ngx_http_parse.c en nginx v0.1.0 a la v0.5.37, v0.6.x a la v0.6.39, v0.7.x a la v0.7.62, y v0.8.x anterior a v0.8.15, permite a atacantes ejecutar c\u00f3digo de su elecci\u00f3n a trav\u00e9s de peticiones HTTP manipuladas."}], "id": "CVE-2009-2629", "lastModified": "2021-11-10T15:52:54.030", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-09-15T22:30:00.233", "references": [{"source": "cret@cert.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://nginx.net/CHANGES"}, {"source": "cret@cert.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://nginx.net/CHANGES-0.5"}, {"source": "cret@cert.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://nginx.net/CHANGES-0.6"}, {"source": "cret@cert.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://nginx.net/CHANGES-0.7"}, {"source": "cret@cert.org", "tags": ["Broken Link"], "url": "http://sysoev.ru/nginx/patch.180065.txt"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2009/dsa-1884"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/180065"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}