{"id":"AZL-47789","summary":"CVE-2024-7347 affecting package nginx for versions less than 1.25.4-2","details":"NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.","modified":"2026-04-01T05:17:04.232140Z","published":"2024-08-14T15:15:31Z","upstream":["CVE-2024-7347"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-7347"}],"affected":[{"package":{"name":"nginx","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/nginx"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.25.4-2"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-47789.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}