{"id":"CVE-2024-7347","details":"NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.","aliases":["BIT-nginx-2024-7347","BIT-nginx-gateway-2024-7347"],"modified":"2026-04-16T00:02:53.573266568Z","published":"2024-08-14T15:15:31.870Z","related":["ALSA-2025:3261","ALSA-2025:3262","ALSA-2025:7402","SUSE-SU-2025:0282-1","SUSE-SU-2025:0283-1","openSUSE-SU-2024:14271-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00017.html"},{"type":"ADVISORY","url":"https://my.f5.com/manage/s/article/K000140529"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2024/08/14/4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nginx/nginx","events":[{"introduced":"3db1d1a39a725dbf2aea1c678e94a345c045799e"},{"fixed":"37fe98355461d2f03d73e6a8e82ac4e4cd85d711"}]}],"versions":["release-1.11.0","release-1.11.1","release-1.11.10","release-1.11.11","release-1.11.12","release-1.11.13","release-1.11.2","release-1.11.3","release-1.11.4","release-1.11.5","release-1.11.6","release-1.11.7","release-1.11.8","release-1.11.9","release-1.13.0","release-1.13.1","release-1.13.10","release-1.13.11","release-1.13.12","release-1.13.2","release-1.13.3","release-1.13.4","release-1.13.5","release-1.13.6","release-1.13.7","release-1.13.8","release-1.13.9","release-1.15.0","release-1.15.1","release-1.15.10","release-1.15.11","release-1.15.12","release-1.15.2","release-1.15.3","release-1.15.4","release-1.15.5","release-1.15.6","release-1.15.7","release-1.15.8","release-1.15.9","release-1.17.0","release-1.17.1","release-1.17.10","release-1.17.2","release-1.17.3","release-1.17.4","release-1.17.5","release-1.17.6","release-1.17.7","release-1.17.8","release-1.17.9","release-1.19.0","release-1.19.1","release-1.19.10","release-1.19.2","release-1.19.3","release-1.19.4","release-1.19.5","release-1.19.6","release-1.19.7","release-1.19.8","release-1.19.9","release-1.21.0","release-1.21.1","release-1.21.2","release-1.21.3","release-1.21.4","release-1.21.5","release-1.21.6","release-1.23.0","release-1.23.1","release-1.23.2","release-1.23.3","release-1.23.4","release-1.25.0","release-1.25.1","release-1.25.2","release-1.25.3","release-1.25.4","release-1.25.5","release-1.26.0","release-1.26.1","release-1.5.13","release-1.7.0","release-1.7.1","release-1.7.10","release-1.7.11","release-1.7.12","release-1.7.2","release-1.7.3","release-1.7.4","release-1.7.5","release-1.7.6","release-1.7.7","release-1.7.8","release-1.7.9","release-1.9.0","release-1.9.1","release-1.9.10","release-1.9.11","release-1.9.12","release-1.9.13","release-1.9.14","release-1.9.15","release-1.9.2","release-1.9.3","release-1.9.4","release-1.9.5","release-1.9.6","release-1.9.7","release-1.9.8","release-1.9.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-7347.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}