VulnerableCode Package Details - pkg:deb/debian/nginx@1.18.0-6.1%2Bdeb11u3

Search for packages

Vulnerability	Summary	Fixed by
VCID-66m3-refr-quf4 Aliases: CVE-2024-7347	Buffer overread in the ngx_http_mp4_module	1.22.1-9+deb12u2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-jpnw-4r81-93c2 Aliases: CVE-2025-23419	SSL session reuse vulnerability	1.22.1-9+deb12u2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-qeft-42gz-2bbq Aliases: CVE-2020-36309	ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.	1.22.1-9+deb12u2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-vfxh-kpsr-1kh7 Aliases: CVE-2024-33452	An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request.	1.22.1-9+deb12u2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-w5uu-nj7c-wka6 Aliases: CVE-2023-44487 GHSA-qppj-fm5r-hxr3 VSV00013	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.	1.26.3-3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-66m3-refr-quf4
Aliases:
CVE-2024-7347

Buffer overread in the ngx_http_mp4_module

1.22.1-9+deb12u2
Affected by 1 other vulnerability.

VCID-jpnw-4r81-93c2
Aliases:
CVE-2025-23419

SSL session reuse vulnerability

1.22.1-9+deb12u2
Affected by 1 other vulnerability.

VCID-qeft-42gz-2bbq
Aliases:
CVE-2020-36309

ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.

1.22.1-9+deb12u2
Affected by 1 other vulnerability.

VCID-vfxh-kpsr-1kh7
Aliases:
CVE-2024-33452

An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request.

1.22.1-9+deb12u2
Affected by 1 other vulnerability.

VCID-w5uu-nj7c-wka6
Aliases:
CVE-2023-44487
GHSA-qppj-fm5r-hxr3
VSV00013

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

1.26.3-3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3d3j-83ap-jua7	ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.	CVE-2021-3618
VCID-81pb-4hqw-g3cs	NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.	CVE-2019-20372
VCID-9nfh-cgh8-ykam	Excessive CPU usage in HTTP/2 with small window updates	CVE-2019-9511
VCID-apkw-1xhe-rua1	Memory corruption in the ngx_http_mp4_module	CVE-2022-41741
VCID-eanb-jznh-w3f1	Excessive memory usage in HTTP/2 with zero length headers	CVE-2019-9516
VCID-pwx1-ppph-mkgm	An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.	CVE-2020-11724
VCID-wvtc-3qza-afgh	Excessive CPU usage in HTTP/2 with priority changes	CVE-2019-9513
VCID-yrdf-1ka4-d7ff	1-byte memory overwrite in resolver	CVE-2021-23017
VCID-ysea-ax3y-8uce	Memory disclosure in the ngx_http_mp4_module	CVE-2022-41742

Vulnerability

Summary

Aliases

VCID-3d3j-83ap-jua7

ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.

CVE-2021-3618

VCID-81pb-4hqw-g3cs

NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.

CVE-2019-20372

VCID-9nfh-cgh8-ykam

Excessive CPU usage in HTTP/2 with small window updates

CVE-2019-9511

VCID-apkw-1xhe-rua1

Memory corruption in the ngx_http_mp4_module

CVE-2022-41741

VCID-eanb-jznh-w3f1

Excessive memory usage in HTTP/2 with zero length headers

CVE-2019-9516

VCID-pwx1-ppph-mkgm

An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.

CVE-2020-11724

VCID-wvtc-3qza-afgh

Excessive CPU usage in HTTP/2 with priority changes

CVE-2019-9513

VCID-yrdf-1ka4-d7ff

1-byte memory overwrite in resolver

CVE-2021-23017

VCID-ysea-ax3y-8uce

Memory disclosure in the ngx_http_mp4_module

CVE-2022-41742

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T19:58:09.465153+00:00	Debian Oval Importer	Fixing	VCID-9nfh-cgh8-ykam	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:07:57.147593+00:00	Debian Oval Importer	Fixing	VCID-81pb-4hqw-g3cs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T18:16:16.495064+00:00	Debian Oval Importer	Fixing	VCID-pwx1-ppph-mkgm	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T16:17:44.228298+00:00	Debian Oval Importer	Affected by	VCID-vfxh-kpsr-1kh7	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:53:22.895495+00:00	Debian Oval Importer	Fixing	VCID-3d3j-83ap-jua7	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:26:09.762714+00:00	Debian Oval Importer	Fixing	VCID-apkw-1xhe-rua1	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:09:21.841765+00:00	Debian Oval Importer	Fixing	VCID-yrdf-1ka4-d7ff	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:22:45.661781+00:00	Debian Oval Importer	Fixing	VCID-ysea-ax3y-8uce	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:05:39.377170+00:00	Debian Oval Importer	Fixing	VCID-wvtc-3qza-afgh	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:55:57.055013+00:00	Debian Oval Importer	Affected by	VCID-66m3-refr-quf4	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:52:46.865626+00:00	Debian Oval Importer	Fixing	VCID-eanb-jznh-w3f1	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:41:01.157620+00:00	Debian Oval Importer	Affected by	VCID-jpnw-4r81-93c2	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:19:54.828584+00:00	Debian Oval Importer	Affected by	VCID-qeft-42gz-2bbq	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:40:26.313931+00:00	Debian Importer	Affected by	VCID-w5uu-nj7c-wka6	https://security-tracker.debian.org/tracker/data/json	37.0.0