CVE-2024-7347: 
NGINX vulnerability analysis and mitigation

NGINX Open Source and NGINX Plus contain a vulnerability (CVE-2024-7347) in the ngxhttpmp4module that allows attackers to over-read NGINX worker memory resulting in its termination through a specially crafted mp4 file. The vulnerability affects NGINX versions from 1.5.13 onwards and is only exploitable when the ngxhttpmp4module is built into NGINX and the mp4 directive is used in the configuration file (NVD, OSS Security).

The vulnerability is classified as an Out-of-bounds Read (CWE-125) and Buffer Over-read (CWE-126) issue. It has received a CVSS v3.1 base score of 4.7 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating local access requirements and high complexity for exploitation (NVD).

When successfully exploited, the vulnerability can cause the NGINX worker process to crash, resulting in a denial of service condition. The impact is limited to environments where the ngxhttpmp4_module is built and enabled, and where an attacker can trigger the processing of a specially crafted mp4 file (OSS Security).

The vulnerability has been fixed in NGINX versions 1.27.1 and 1.26.2. A patch for the issue is available at nginx.org/download/patch.2024.mp4.txt. Organizations running affected versions should upgrade to the fixed versions (OSS Security).