7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-24989

GHSA ID

GHSA-m46h-9pv9-w5xp

EPSS Score

0.70383%

CWE

CWE-476

Published

2/14/2024

Updated

6/10/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-24989

CVE-2024-24989: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests...

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .

NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-24989

CVE-2024-24989:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-24989

GHSA ID

GHSA-m46h-9pv9-w5xp

EPSS Score

0.70383%

CWE

CWE-476

Published

2/14/2024

Updated

6/10/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CVE-2024-24989) is described as a condition where undisclosed requests can cause Nginx worker processes to terminate when the HTTP/3 QUIC module is used, and it's classified as a CWE-476 (NULL Pointer Dereference). The provided information indicates that nginx version 1.25.4 fixes this issue, which affected versions 1.25.0 - 1.25.3.

By comparing the commits between release-1.25.3 and release-1.25.4 of the nginx/nginx repository, I identified relevant commits related to QUIC. Specifically, commit 5902baf680609f884a1e11ff2b82a0bffb3724cc titled "QUIC: trial packet decryption in response to invalid key update" directly addresses a segfault (a common result of NULL pointer dereferences) when accessing missing next keys in the ngx_quic_decrypt function within src/event/quic/ngx_event_quic_protection.c. The patch explicitly adds a NULL check (if (pkt->keys->next_key.client.ctx != NULL)) before accessing pkt->keys->next_key.client, which is a clear indication of fixing a NULL pointer dereference vulnerability.

The oss-security mailing list also confirms that CVE-2024-24989 was fixed in nginx 1.25.4 and was related to a worker process crash in the HTTP/3 QUIC implementation.

Another commit, 5818f8a6693b3c0d95021f2ee58b69dcf848911c, fixed a double-free in ngx_quic_stream_cleanup_handler. While this also causes a crash, CVE-2024-24989 is specifically identified as a NULL Pointer Dereference (CWE-476). The advisory mentions two CVEs (CVE-2024-24989 and CVE-2024-24990) fixed in 1.25.4. It is most likely that the NULL pointer dereference fix in ngx_quic_decrypt corresponds to CVE-2024-24989.

Therefore, ngx_quic_decrypt is identified as the vulnerable function based on the direct evidence in the patch and the nature of the vulnerability (NULL pointer dereference leading to a crash).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-24989: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests...

CVE-2024-24989:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

7.5

7.5

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-24989: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests...

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI