nginx vulnerability
Maxim Dounin
mdounin at mdounin.ru
Tue Nov 24 15:37:54 UTC 2020
Hello!
On Thu, Nov 19, 2020 at 02:06:46PM -0800, Frank Liu wrote:
> CVE-2019-20372 mentioned a security vulnerability, but I don't see it in
> http://nginx.org/en/security_advisories.html
> Does that mean CVE-2019-20372 is not considered a security vulnerability by
> nginx? Or is it because nginx standard config won't be vulnerable, and
> users have to enable error_log in order to be vulnerable?
The CVE-2019-20372 corresponds to the following bugfix in nginx
1.17.7:
*) Bugfix: requests with bodies were handled incorrectly when returning
redirections with the "error_page" directive; the bug had appeared in
0.7.12.
It only affects rarely used configurations with error_page
returning redirects by itself, that is, configurations with
"error_page ... http://...". Further, it can only have any
security impact if nginx is used behind another HTTP proxy, and
the configuration relies on security checks on this proxy.
Given the above, it is not considered to be a security issue, but
rather treated as a bug. This bug is already fixed in all
supported nginx versions.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list