nginx vulnerability

Maxim Dounin mdounin at mdounin.ru
Tue Nov 24 15:37:54 UTC 2020


Hello!

On Thu, Nov 19, 2020 at 02:06:46PM -0800, Frank Liu wrote:

> CVE-2019-20372 mentioned a security vulnerability, but I don't see it in
> http://nginx.org/en/security_advisories.html
> Does that mean CVE-2019-20372 is not considered a security vulnerability by
> nginx? Or is it because nginx standard config won't be vulnerable, and
> users have to enable error_log in order to be vulnerable?

The CVE-2019-20372 corresponds to the following bugfix in nginx 
1.17.7:

    *) Bugfix: requests with bodies were handled incorrectly when returning
       redirections with the "error_page" directive; the bug had appeared in
       0.7.12.

It only affects rarely used configurations with error_page 
returning redirects by itself, that is, configurations with 
"error_page ... http://...".  Further, it can only have any 
security impact if nginx is used behind another HTTP proxy, and 
the configuration relies on security checks on this proxy.

Given the above, it is not considered to be a security issue, but 
rather treated as a bug.  This bug is already fixed in all 
supported nginx versions.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list