SB2017071420 - Integer overflow in nginx (Alpine package)
Published: July 14, 2017 Updated: December 19, 2023
Security Bulletin ID
SB2017071420
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Integer overflow (CVE-ID: CVE-2017-7529)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.The vulnerability exists due to integer overflow when processing specially crafted requests. A remote attacker can send a malicious request to vulnerable server and gain access to potentially sensitive information.
When using nginx with standard modules this allows an attacker to obtain a cache file header if a response was returned from cache. In some configurations a cache file header may contain IP address of the backend server or other sensitive information.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=e86a2a9f72ca3473b25cd7ae7085d79c368615b0
- https://git.alpinelinux.org/aports/commit/?id=6b75c937d616093cfc19f88eb23252e393cc3307
- https://git.alpinelinux.org/aports/commit/?id=daf677dacdc4524021cebc6cb437e53330e6ae67
- https://git.alpinelinux.org/aports/commit/?id=568c8a2d9824659603b97fe862a329e1022048b4
- https://git.alpinelinux.org/aports/commit/?id=e762c3178d2ceda6617f0437591f0e7b8333912a
- https://git.alpinelinux.org/aports/commit/?id=a8736b1ef63631b4ba022004d7eb9012dfea6d24