CVE-2018-9230

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2018-9230

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9230.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-9230

Published

2018-04-02T18:29:00.233Z

Modified

2026-04-10T04:11:37.457339Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.geturiargs and ngx.req.getpostargs functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access restrictions or interfere with certain Web Application Firewall (ngxluawaf or X-WAF) products. NOTE: the vendor has reported that 100 parameters is an intentional default setting, but is adjustable within the API. The vendor's position is that a security-relevant misuse of the API by a WAF product is a vulnerability in the WAF product, not a vulnerability in OpenResty

References

Affected packages

Git / github.com/openresty/openresty

Affected ranges

Type

GIT

Repo

https://github.com/openresty/openresty

Events

Introduced

Fixed

d2618c31355a2f7e7ac88ab845a72f61c3505f8b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.13.6.1"
        }
    ]
}

Affected versions

v0.*

v0.8.54.3

v0.8.54.6

v1.*

v1.0.10.1

v1.0.10.11

v1.0.10.13

v1.0.10.15

v1.0.10.17

v1.0.10.19

v1.0.10.21

v1.0.10.23

v1.0.10.24

v1.0.10.25

v1.0.10.27

v1.0.10.29

v1.0.10.3

v1.0.10.31

v1.0.10.33

v1.0.10.35

v1.0.10.41

v1.0.10.43

v1.0.10.44

v1.0.10.45

v1.0.10.47

v1.0.10.48

v1.0.10.5

v1.0.10.7

v1.0.10.9

v1.0.11.11

v1.0.11.15

v1.0.11.17

v1.0.11.19

v1.0.11.21

v1.0.11.23

v1.0.11.25

v1.0.11.27

v1.0.11.28

v1.0.11.3

v1.0.11.7

v1.0.11.9

v1.0.15.1

v1.0.15.10

v1.0.15.11

v1.0.15.3

v1.0.15.5

v1.0.15.7

v1.0.15.9

v1.0.4.1

v1.0.4.2

v1.0.5.0

v1.0.5.1

v1.0.6.22

v1.0.6.3

v1.0.6.5

v1.0.8.1

v1.0.8.11

v1.0.8.13

v1.0.8.15

v1.0.8.17

v1.0.8.19

v1.0.8.21

v1.0.8.26

v1.0.8.3

v1.0.8.5

v1.0.8.7

v1.0.8.9

v1.0.9.1

v1.0.9.10

v1.0.9.3

v1.0.9.5

v1.0.9.7

v1.0.9.9

v1.11.2.1

v1.11.2.2

v1.11.2.3

v1.11.2.5

v1.2.1.1

v1.2.1.11

v1.2.1.13

v1.2.1.14

v1.2.1.3

v1.2.1.5

v1.2.1.7

v1.2.1.9

v1.2.3.1

v1.2.3.3

v1.2.3.5

v1.2.3.7

v1.2.3.8

v1.2.4.1

v1.2.4.11

v1.2.4.13

v1.2.4.14

v1.2.4.3

v1.2.4.5

v1.2.4.7

v1.2.4.9

v1.2.6.1

v1.2.6.3

v1.2.6.5

v1.2.6.6

v1.2.7.1

v1.2.7.3

v1.2.7.5

v1.2.7.6

v1.2.8.1

v1.2.8.5

v1.2.8.6

v1.4.1.1

v1.4.1.3

v1.4.2.1

v1.4.2.3

v1.4.2.5

v1.4.2.7

v1.4.2.8

v1.4.2.9

v1.4.3.1

v1.4.3.3

v1.4.3.4

v1.4.3.6

v1.4.3.7

v1.4.3.9

v1.5.11.1

v1.5.12.1

v1.5.8.1

v1.7.0.1

v1.7.10.1

v1.7.10.2

v1.7.2.1

v1.7.7.1

v1.7.7.2

v1.9.15.1

v1.9.3.1

v1.9.3.1rc1

v1.9.3.2

v1.9.7.1

v1.9.7.2

v1.9.7.3

v1.9.7.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9230.json"