CVE-2022-41742: 
NGINX vulnerability analysis and mitigation

A vulnerability was discovered in NGINX's ngxhttpmp4module (CVE-2022-41742) affecting NGINX Open Source versions before 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1. The vulnerability only affects NGINX installations built with the ngxhttpmp4module and when the mp4 directive is used in the configuration file (MITRE CVE, Ubuntu Security).

The vulnerability exists in the ngxhttpmp4_module module and can be triggered when processing specially crafted audio or video files. The issue has a CVSS Base Score of 7.1 (High) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, indicating local access is required with low attack complexity (Ubuntu Security).

When successfully exploited, this vulnerability could lead to worker process crashes and worker process memory disclosure. The attack is only possible if an attacker can trigger the processing of a specially crafted audio or video file with the ngxhttpmp4_module (MITRE CVE, NetApp Security).

The vulnerability has been fixed in NGINX Open Source versions 1.23.2 and 1.22.1, NGINX Open Source Subscription versions R2 P1 and R1 P1, and NGINX Plus versions R27 P1 and R26 P1. Users are advised to upgrade to these or later versions to address the vulnerability (Ubuntu Security, Debian Security).