Vulnerability in Nginx Web Server, Plus
CVE-2021-23017
A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.
EPSS: 0.735 (98.8th percentile) — read the EPSS interpretation.
Affected products
- N/a Nginx Web Server, Plus — versions Nginx Web Server versions 0.6.18 thru 1.20.0 before 1.20.1, Nginx plus versions R13 thru R23 before R23 P1. Nginx plus version R24 before R24 P1
Weakness classification (CWE)
Public proof-of-concept exploits
- M507/CVE-2021-23017-PoC
- 6lj/EVIL-CVE-2021-23017-Update-2025
- z3usx01/CVE-2021-23017-POC
- lakshit1212/CVE-2021-23017-PoC
- niandy/nginx-patch
- moften/CVE-2021-23017
- Cybervixy/Vulnerability-Management
- lukwagoasuman/-home-lukewago-Downloads-CVE-2021-23017-Nginx-1.14
- ShivamDey/CVE-2021-23017
- ChiomaDibor/Vulnerability-Management-of-a-Web-Server-Using-Nessus-and-Patch-Management-with-Ansible
References
- support.f5.com/csp/article/K12331123, (x_refsource_MISC)
- mailman.nginx.org/pipermail/nginx-announce/2021/000300.html (x_refsource_MISC)
- [apisix-notifications] 20210607 [GitHub] [apisix-website] Serendipity96 opened a new pull request #362: feat: add new blog (mailing-list, x_refsource_MLIST)
- [apisix-notifications] 20210608 [GitHub] [apisix-website] liuxiran commented on a change in pull request #362: docs: added "Apache APISIX not affected by NGINX CVE-2021-23017" (mailing-list, x_refsource_MLIST)
- [apisix-notifications] 20210608 [GitHub] [apisix-website] netlify[bot] edited a comment on pull request #362: docs: added "Apache APISIX not affected by NGINX CVE-2021-23017" (mailing-list, x_refsource_MLIST)
- [apisix-notifications] 20210608 [GitHub] [apisix-website] liuxiran merged pull request #362: docs: added "Apache APISIX not affected by NGINX CVE-2021-23017" (mailing-list, x_refsource_MLIST)
- [apisix-notifications] 20210608 [apisix-website] branch master updated: docs: added "Apache APISIX not affected by NGINX CVE-2021-23017" (#362) (mailing-list, x_refsource_MLIST)
- FEDORA-2021-b37cffac0d (vendor-advisory, x_refsource_FEDORA)
- FEDORA-2021-393d698493 (vendor-advisory, x_refsource_FEDORA)
- www.oracle.com/security-alerts/cpuoct2021.html (x_refsource_MISC)
Frequently asked questions
- What is CVE-2021-23017?
- CVE-2021-23017 is a vulnerability in Nginx Web Server, Plus, classified under Off-by-one Error. Published 2021-06-01.
- Is CVE-2021-23017 known to be exploited?
- 86 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.