NGINX Plus and NGINX Open Source have a vulnerability in the ngxmailsmtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"unresolved_ranges": [
{
"vendor_product": "f5:nginx_plus",
"cpes": [
"cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r35:*:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*",
"cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "r32-p1"
},
{
"last_affected": "r32-p1"
},
{
"introduced": "r32-p2"
},
{
"last_affected": "r32-p2"
},
{
"introduced": "r32-p3"
},
{
"last_affected": "r32-p3"
},
{
"introduced": "r32-p4"
},
{
"last_affected": "r32-p4"
},
{
"introduced": "r33"
},
{
"last_affected": "r33"
},
{
"introduced": "r33-p1"
},
{
"last_affected": "r33-p1"
},
{
"introduced": "r33-p2"
},
{
"last_affected": "r33-p2"
},
{
"introduced": "r33-p3"
},
{
"last_affected": "r33-p3"
},
{
"introduced": "r34"
},
{
"last_affected": "r34"
},
{
"introduced": "r34-p1"
},
{
"last_affected": "r34-p1"
},
{
"introduced": "r34-p2"
},
{
"last_affected": "r34-p2"
},
{
"introduced": "r35"
},
{
"last_affected": "r35"
},
{
"introduced": "r35-p1"
},
{
"last_affected": "r35-p1"
},
{
"introduced": "r36"
},
{
"last_affected": "r36"
},
{
"introduced": "r36-p1"
},
{
"last_affected": "r36-p1"
},
{
"introduced": "r36-p2"
},
{
"last_affected": "r36-p2"
}
],
"source": "CPE_STRING"
}
]
}{
"cpe": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0.6.27"
},
{
"last_affected": "0.9.7"
},
{
"introduced": "1.0.0"
},
{
"fixed": "1.28.3"
},
{
"introduced": "1.29.0"
},
{
"fixed": "1.29.7"
}
],
"source": "CPE_RANGE"
}