{"id":"CVE-2020-36309","details":"ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.","aliases":["BIT-openresty-2020-36309"],"modified":"2026-04-09T07:15:32.007425Z","published":"2021-04-06T19:15:13.583Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/06/msg00026.html"},{"type":"ADVISORY","url":"https://news.ycombinator.com/item?id=26712562"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210507-0005/"},{"type":"FIX","url":"https://github.com/openresty/lua-nginx-module/compare/v0.10.15...v0.10.16"},{"type":"FIX","url":"https://github.com/openresty/lua-nginx-module/pull/1654"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openresty/lua-nginx-module","events":[{"introduced":"0"},{"fixed":"c2565fe799408c31bf445530a0e68c9bdb2de1fa"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.10.16"}]}}],"versions":["v0.0.1","v0.0.10","v0.0.11","v0.0.12","v0.0.13","v0.0.14","v0.0.14rc1","v0.0.14rc2","v0.0.15","v0.0.16","v0.0.17","v0.0.18rc1","v0.0.18rc2","v0.0.1rc1","v0.0.1rc2","v0.0.1rc3","v0.0.1rc4","v0.0.1rc5","v0.0.1rc6","v0.0.1rc7","v0.0.1rc8","v0.0.1rc9","v0.0.2","v0.0.3","v0.0.4rc1","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.0.9","v0.1.0","v0.1.1","v0.1.2rc1","v0.1.2rc2","v0.1.2rc3","v0.1.2rc4","v0.1.3","v0.1.3rc1","v0.1.3rc2","v0.1.4","v0.1.4rc1","v0.1.4rc2","v0.1.5","v0.1.5rc1","v0.1.5rc2","v0.1.5rc3","v0.1.5rc4","v0.1.5rc5","v0.1.5rc6","v0.1.6rc1","v0.1.6rc10","v0.1.6rc11","v0.1.6rc12","v0.1.6rc13","v0.1.6rc14","v0.1.6rc15","v0.1.6rc16","v0.1.6rc17","v0.1.6rc2","v0.1.6rc3","v0.1.6rc4","v0.1.6rc5","v0.1.6rc6","v0.1.6rc7","v0.1.6rc8","v0.1.6rc9","v0.10.0","v0.10.0rc0","v0.10.1","v0.10.10","v0.10.11","v0.10.11rc1","v0.10.11rc2","v0.10.11rc3","v0.10.12","v0.10.12rc1","v0.10.12rc2","v0.10.13","v0.10.13rc1","v0.10.14","v0.10.14rc1","v0.10.14rc2","v0.10.14rc3","v0.10.14rc4","v0.10.14rc5","v0.10.14rc6","v0.10.14rc7","v0.10.15","v0.10.15rc1","v0.10.16rc1","v0.10.16rc2","v0.10.16rc3","v0.10.16rc4","v0.10.16rc5","v0.10.1rc0","v0.10.1rc1","v0.10.2","v0.10.3","v0.10.4","v0.10.4rc1","v0.10.5","v0.10.6","v0.10.6rc1","v0.10.6rc2","v0.10.7","v0.10.8","v0.10.9","v0.10.9rc1","v0.10.9rc2","v0.10.9rc3","v0.10.9rc4","v0.10.9rc5","v0.10.9rc6","v0.10.9rc7","v0.10.9rc8","v0.10.9rc9","v0.2.1rc1","v0.2.1rc10","v0.2.1rc11","v0.2.1rc12","v0.2.1rc13","v0.2.1rc14","v0.2.1rc15","v0.2.1rc16","v0.2.1rc17","v0.2.1rc18","v0.2.1rc19","v0.2.1rc2","v0.2.1rc20","v0.2.1rc21","v0.2.1rc22","v0.2.1rc3","v0.2.1rc4","v0.2.1rc5","v0.2.1rc6","v0.2.1rc7","v0.2.1rc8","v0.2.1rc9","v0.3.1rc21","v0.3.1rc27","v0.3.1rc28","v0.3.1rc32","v0.3.1rc33","v0.3.1rc34","v0.3.1rc35","v0.3.1rc36","v0.3.1rc37","v0.3.1rc38","v0.3.1rc39","v0.3.1rc4","v0.3.1rc40","v0.3.1rc41","v0.3.1rc42","v0.3.1rc43","v0.3.1rc44","v0.3.1rc45","v0.3.1rc5","v0.3.1rc6","v0.3.1rc7","v0.3.1rc8","v0.3.1rc9","v0.4.0","v0.4.1","v0.4.1rc1","v0.4.1rc2","v0.4.1rc3","v0.4.1rc4","v0.5.0rc1","v0.5.0rc2","v0.5.0rc25","v0.5.0rc3","v0.5.0rc4","v0.5.0rc5","v0.6.1","v0.6.4","v0.6.5","v0.6.5rc1","v0.6.6","v0.6.6rc1","v0.7.11","v0.7.12","v0.7.12rc1","v0.7.13","v0.7.14","v0.7.14rc1","v0.7.14rc2","v0.7.15","v0.7.16","v0.7.17","v0.7.18","v0.7.19","v0.7.20","v0.7.21","v0.7.4","v0.7.5","v0.7.5rc1","v0.7.6","v0.7.6rc1","v0.7.6rc2","v0.7.8","v0.7.9","v0.8.0","v0.8.1","v0.9.10","v0.9.11","v0.9.12","v0.9.12rc1","v0.9.12rc2","v0.9.13","v0.9.13rc1","v0.9.14","v0.9.15","v0.9.16","v0.9.16rc1","v0.9.16rc2","v0.9.16rc3","v0.9.17","v0.9.17rc1","v0.9.18","v0.9.18rc1","v0.9.19","v0.9.20","v0.9.20rc1","v0.9.20rc2","v0.9.20rc3","v0.9.3","v0.9.4","v0.9.4rc1","v0.9.5","v0.9.5rc1","v0.9.5rc2","v0.9.6","v0.9.7","v0.9.8","v0.9.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36309.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}