{"id":"CVE-2018-16845","details":"nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.","modified":"2026-05-18T05:51:33.407889973Z","published":"2018-11-07T14:29:00.883Z","related":["SUSE-SU-2019:0334-1","SUSE-SU-2019:2309-1","openSUSE-SU-2019:0195-1","openSUSE-SU-2019:2120-1","openSUSE-SU-2024:11092-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*"],"vendor_product":"apple:xcode","source":"CPE_FIELD","extracted_events":[{"fixed":"13.0"}]},{"cpes":["cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*"],"vendor_product":"canonical:ubuntu_linux","source":"CPE_FIELD","extracted_events":[{"last_affected":"14.04"},{"last_affected":"16.04"},{"last_affected":"18.04"},{"last_affected":"18.10"}]},{"cpes":["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"vendor_product":"debian:debian_linux","source":"CPE_FIELD","extracted_events":[{"last_affected":"8.0"},{"last_affected":"9.0"}]},{"cpes":["cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"],"vendor_product":"opensuse:leap","source":"CPE_FIELD","extracted_events":[{"last_affected":"15.1"}]}]},"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2021/Sep/36"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/105868"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1042039"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3652"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3653"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3680"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3681"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT212818"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4335"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845"},{"type":"FIX","url":"http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html"},{"type":"FIX","url":"https://usn.ubuntu.com/3812-1/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nginx/nginx","events":[{"introduced":"1e60aca96cac686ab1f4efdf146f7fb1e75e1920"},{"last_affected":"6350cc9101cf6098b462adcef34fb8ce28c438f7"},{"introduced":"0c54cce4e1317dc585c3ef722a7ff02cf9817747"},{"last_affected":"c040ab4bbf393b39489c4cf9ebb21109b2c15a00"}],"database_specific":{"extracted_events":[{"introduced":"1.0.7"},{"last_affected":"1.0.15"},{"introduced":"1.1.3"},{"last_affected":"1.15.5"}],"cpe":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["release-1.15.5","release-1.15.4","release-1.15.3","release-1.15.2","release-1.15.1","release-1.15.0","release-1.13.12","release-1.13.11","release-1.13.10","release-1.13.9","release-1.13.8","release-1.13.7","release-1.13.6","release-1.13.5","release-1.13.4","release-1.13.3","release-1.13.2","release-1.13.1","release-1.13.0","release-1.11.13","release-1.11.12","release-1.11.11","release-1.11.10","release-1.11.9","release-1.11.8","release-1.11.7","release-1.11.6","release-1.11.5","release-1.11.4","release-1.11.3","release-1.11.2","release-1.11.1","release-1.11.0","release-1.9.15","release-1.9.14","release-1.9.13","release-1.9.12","release-1.9.11","release-1.9.10","release-1.9.9","release-1.9.8","release-1.9.7","release-1.9.6","release-1.9.5","release-1.9.4","release-1.9.3","release-1.9.2","release-1.9.1","release-1.9.0","release-1.7.12","release-1.7.11","release-1.7.10","release-1.7.9","release-1.7.8","release-1.7.7","release-1.7.6","release-1.7.5","release-1.7.4","release-1.7.3","release-1.7.2","release-1.7.1","release-1.7.0","release-1.5.13","release-1.5.12","release-1.5.11","release-1.5.10","release-1.5.9","release-1.5.8","release-1.5.7","release-1.5.6","release-1.5.5","release-1.5.4","release-1.5.3","release-1.5.2","release-1.5.1","release-1.5.0","release-1.4.0","release-1.3.16","release-1.3.15","release-1.3.14","release-1.3.13","release-1.3.12","release-1.3.11","release-1.3.10","release-1.3.9","release-1.3.8","release-1.3.7","release-1.3.6","release-1.3.5","release-1.3.4","release-1.3.3","release-1.3.2","release-1.3.1","release-1.3.0","release-1.2.0","release-1.0.15","release-1.1.19","release-1.1.18","release-1.0.14","release-1.1.17","release-1.0.13","release-1.1.16","release-1.1.15","release-1.0.12","release-1.1.14","release-1.1.13","release-1.1.12","release-1.0.11","release-1.1.11","release-1.1.10","release-1.1.9","release-1.0.10","release-1.1.8","release-1.0.9","release-1.1.7","release-1.1.6","release-1.1.5","release-1.0.8","release-1.0.7","release-1.1.4","release-1.1.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-16845.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"}]}