CVE-2024-39792: 
Nginx Plus vulnerability analysis and mitigation

A vulnerability in NGINX Plus, identified as CVE-2024-39792, affects systems configured to use the MQTT pre-read module. The vulnerability was disclosed on August 14, 2024, and affects NGINX Plus versions R30 through R32. When exploited, this vulnerability can cause an increase in memory resource utilization (CERT-EU, NVD).

The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. Under CVSS v3.1, it received a base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is associated with CWE-672 (Operation on a Resource after Expiration or Release) and CWE-825 (Expired Pointer Dereference) (NVD).

The vulnerability allows a remote, unauthenticated attacker to degrade the performance of the NGINX service until the master and worker processes are restarted. Continued degradation can escalate into a denial-of-service (DoS). The impact is restricted to the data plane, with no exposure of the control plane (CERT-EU).

Organizations are advised to apply updates to the affected assets as soon as possible. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated (CERT-EU, NVD).