4.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-7347

CVE-2024-7347: NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might...

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-7347

CVE-2024-7347:

4.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the ngx_http_mp4_module.c file, specifically within the ngx_http_mp4_crop_stsc_data function. The provided patch clearly shows modifications to this function to prevent an integer overflow. The change in the data type of the variable n from uint32_t to uint64_t and the explicit cast during multiplication (uint64_t) (next_chunk - chunk) * samples are direct evidence of fixing an integer overflow vulnerability. This overflow could lead to an incorrect calculation of sample counts or offsets, resulting in an out-of-bounds read when processing a malicious MP4 file, as described in the vulnerability report. The function processes MP4 file metadata ('stsc' atom, which stands for Sample-To-Chunk), and an error here could lead to reading beyond allocated buffer boundaries.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-7347: NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might...

CVE-2024-7347:

4.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

4.7

4.7

CVE-2024-7347: NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might...

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI