ID CVE-2014-3616
Summary nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.
References
Vulnerable Configurations
  • cpe:2.3:a:nginx:nginx:0.5.6
    cpe:2.3:a:nginx:nginx:0.5.6
  • cpe:2.3:a:nginx:nginx:0.5.7
    cpe:2.3:a:nginx:nginx:0.5.7
  • cpe:2.3:a:nginx:nginx:0.5.8
    cpe:2.3:a:nginx:nginx:0.5.8
  • cpe:2.3:a:nginx:nginx:0.5.9
    cpe:2.3:a:nginx:nginx:0.5.9
  • cpe:2.3:a:nginx:nginx:0.5.10
    cpe:2.3:a:nginx:nginx:0.5.10
  • cpe:2.3:a:nginx:nginx:0.5.11
    cpe:2.3:a:nginx:nginx:0.5.11
  • cpe:2.3:a:nginx:nginx:0.5.12
    cpe:2.3:a:nginx:nginx:0.5.12
  • cpe:2.3:a:nginx:nginx:0.5.13
    cpe:2.3:a:nginx:nginx:0.5.13
  • cpe:2.3:a:nginx:nginx:0.5.14
    cpe:2.3:a:nginx:nginx:0.5.14
  • cpe:2.3:a:nginx:nginx:0.5.15
    cpe:2.3:a:nginx:nginx:0.5.15
  • cpe:2.3:a:nginx:nginx:0.5.16
    cpe:2.3:a:nginx:nginx:0.5.16
  • cpe:2.3:a:nginx:nginx:0.5.17
    cpe:2.3:a:nginx:nginx:0.5.17
  • cpe:2.3:a:nginx:nginx:0.5.18
    cpe:2.3:a:nginx:nginx:0.5.18
  • cpe:2.3:a:nginx:nginx:0.5.19
    cpe:2.3:a:nginx:nginx:0.5.19
  • cpe:2.3:a:nginx:nginx:0.5.20
    cpe:2.3:a:nginx:nginx:0.5.20
  • cpe:2.3:a:nginx:nginx:0.5.21
    cpe:2.3:a:nginx:nginx:0.5.21
  • cpe:2.3:a:nginx:nginx:0.5.22
    cpe:2.3:a:nginx:nginx:0.5.22
  • cpe:2.3:a:nginx:nginx:0.5.23
    cpe:2.3:a:nginx:nginx:0.5.23
  • cpe:2.3:a:nginx:nginx:0.5.24
    cpe:2.3:a:nginx:nginx:0.5.24
  • cpe:2.3:a:nginx:nginx:0.5.25
    cpe:2.3:a:nginx:nginx:0.5.25
  • cpe:2.3:a:nginx:nginx:0.5.26
    cpe:2.3:a:nginx:nginx:0.5.26
  • cpe:2.3:a:nginx:nginx:0.5.27
    cpe:2.3:a:nginx:nginx:0.5.27
  • cpe:2.3:a:nginx:nginx:0.5.28
    cpe:2.3:a:nginx:nginx:0.5.28
  • cpe:2.3:a:nginx:nginx:0.5.29
    cpe:2.3:a:nginx:nginx:0.5.29
  • cpe:2.3:a:nginx:nginx:0.5.30
    cpe:2.3:a:nginx:nginx:0.5.30
  • cpe:2.3:a:nginx:nginx:0.5.31
    cpe:2.3:a:nginx:nginx:0.5.31
  • cpe:2.3:a:nginx:nginx:0.5.32
    cpe:2.3:a:nginx:nginx:0.5.32
  • cpe:2.3:a:nginx:nginx:0.5.33
    cpe:2.3:a:nginx:nginx:0.5.33
  • cpe:2.3:a:nginx:nginx:0.5.34
    cpe:2.3:a:nginx:nginx:0.5.34
  • cpe:2.3:a:nginx:nginx:0.5.35
    cpe:2.3:a:nginx:nginx:0.5.35
  • cpe:2.3:a:nginx:nginx:0.5.36
    cpe:2.3:a:nginx:nginx:0.5.36
  • cpe:2.3:a:nginx:nginx:0.5.37
    cpe:2.3:a:nginx:nginx:0.5.37
  • cpe:2.3:a:nginx:nginx:0.6.0
    cpe:2.3:a:nginx:nginx:0.6.0
  • cpe:2.3:a:nginx:nginx:0.6.1
    cpe:2.3:a:nginx:nginx:0.6.1
  • cpe:2.3:a:nginx:nginx:0.6.10
    cpe:2.3:a:nginx:nginx:0.6.10
  • cpe:2.3:a:nginx:nginx:0.6.11
    cpe:2.3:a:nginx:nginx:0.6.11
  • cpe:2.3:a:nginx:nginx:0.6.12
    cpe:2.3:a:nginx:nginx:0.6.12
  • cpe:2.3:a:nginx:nginx:0.6.13
    cpe:2.3:a:nginx:nginx:0.6.13
  • cpe:2.3:a:nginx:nginx:0.6.14
    cpe:2.3:a:nginx:nginx:0.6.14
  • cpe:2.3:a:nginx:nginx:0.6.15
    cpe:2.3:a:nginx:nginx:0.6.15
  • cpe:2.3:a:nginx:nginx:0.6.1516
    cpe:2.3:a:nginx:nginx:0.6.1516
  • cpe:2.3:a:nginx:nginx:0.6.16
    cpe:2.3:a:nginx:nginx:0.6.16
  • cpe:2.3:a:nginx:nginx:0.6.17
    cpe:2.3:a:nginx:nginx:0.6.17
  • cpe:2.3:a:nginx:nginx:0.6.18
    cpe:2.3:a:nginx:nginx:0.6.18
  • cpe:2.3:a:nginx:nginx:0.6.19
    cpe:2.3:a:nginx:nginx:0.6.19
  • cpe:2.3:a:nginx:nginx:0.6.2
    cpe:2.3:a:nginx:nginx:0.6.2
  • cpe:2.3:a:nginx:nginx:0.6.20
    cpe:2.3:a:nginx:nginx:0.6.20
  • cpe:2.3:a:nginx:nginx:0.6.21
    cpe:2.3:a:nginx:nginx:0.6.21
  • cpe:2.3:a:nginx:nginx:0.6.22
    cpe:2.3:a:nginx:nginx:0.6.22
  • cpe:2.3:a:nginx:nginx:0.6.23
    cpe:2.3:a:nginx:nginx:0.6.23
  • cpe:2.3:a:nginx:nginx:0.6.24
    cpe:2.3:a:nginx:nginx:0.6.24
  • cpe:2.3:a:nginx:nginx:0.6.25
    cpe:2.3:a:nginx:nginx:0.6.25
  • cpe:2.3:a:nginx:nginx:0.6.26
    cpe:2.3:a:nginx:nginx:0.6.26
  • cpe:2.3:a:nginx:nginx:0.6.27
    cpe:2.3:a:nginx:nginx:0.6.27
  • cpe:2.3:a:nginx:nginx:0.6.28
    cpe:2.3:a:nginx:nginx:0.6.28
  • cpe:2.3:a:nginx:nginx:0.6.29
    cpe:2.3:a:nginx:nginx:0.6.29
  • cpe:2.3:a:nginx:nginx:0.6.3
    cpe:2.3:a:nginx:nginx:0.6.3
  • cpe:2.3:a:nginx:nginx:0.6.30
    cpe:2.3:a:nginx:nginx:0.6.30
  • cpe:2.3:a:nginx:nginx:0.6.31
    cpe:2.3:a:nginx:nginx:0.6.31
  • cpe:2.3:a:nginx:nginx:0.6.32
    cpe:2.3:a:nginx:nginx:0.6.32
  • cpe:2.3:a:nginx:nginx:0.6.33
    cpe:2.3:a:nginx:nginx:0.6.33
  • cpe:2.3:a:nginx:nginx:0.6.34
    cpe:2.3:a:nginx:nginx:0.6.34
  • cpe:2.3:a:nginx:nginx:0.6.35
    cpe:2.3:a:nginx:nginx:0.6.35
  • cpe:2.3:a:nginx:nginx:0.6.36
    cpe:2.3:a:nginx:nginx:0.6.36
  • cpe:2.3:a:nginx:nginx:0.6.37
    cpe:2.3:a:nginx:nginx:0.6.37
  • cpe:2.3:a:nginx:nginx:0.6.38
    cpe:2.3:a:nginx:nginx:0.6.38
  • cpe:2.3:a:nginx:nginx:0.6.4
    cpe:2.3:a:nginx:nginx:0.6.4
  • cpe:2.3:a:nginx:nginx:0.6.5
    cpe:2.3:a:nginx:nginx:0.6.5
  • cpe:2.3:a:nginx:nginx:0.6.6
    cpe:2.3:a:nginx:nginx:0.6.6
  • cpe:2.3:a:nginx:nginx:0.6.7
    cpe:2.3:a:nginx:nginx:0.6.7
  • cpe:2.3:a:nginx:nginx:0.6.8
    cpe:2.3:a:nginx:nginx:0.6.8
  • cpe:2.3:a:nginx:nginx:0.6.9
    cpe:2.3:a:nginx:nginx:0.6.9
  • cpe:2.3:a:nginx:nginx:0.7.0
    cpe:2.3:a:nginx:nginx:0.7.0
  • cpe:2.3:a:nginx:nginx:0.7.1
    cpe:2.3:a:nginx:nginx:0.7.1
  • cpe:2.3:a:nginx:nginx:0.7.10
    cpe:2.3:a:nginx:nginx:0.7.10
  • cpe:2.3:a:nginx:nginx:0.7.11
    cpe:2.3:a:nginx:nginx:0.7.11
  • cpe:2.3:a:nginx:nginx:0.7.12
    cpe:2.3:a:nginx:nginx:0.7.12
  • cpe:2.3:a:nginx:nginx:0.7.13
    cpe:2.3:a:nginx:nginx:0.7.13
  • cpe:2.3:a:nginx:nginx:0.7.14
    cpe:2.3:a:nginx:nginx:0.7.14
  • cpe:2.3:a:nginx:nginx:0.7.15
    cpe:2.3:a:nginx:nginx:0.7.15
  • cpe:2.3:a:nginx:nginx:0.7.16
    cpe:2.3:a:nginx:nginx:0.7.16
  • cpe:2.3:a:nginx:nginx:0.7.17
    cpe:2.3:a:nginx:nginx:0.7.17
  • cpe:2.3:a:nginx:nginx:0.7.18
    cpe:2.3:a:nginx:nginx:0.7.18
  • cpe:2.3:a:nginx:nginx:0.7.19
    cpe:2.3:a:nginx:nginx:0.7.19
  • cpe:2.3:a:nginx:nginx:0.7.2
    cpe:2.3:a:nginx:nginx:0.7.2
  • cpe:2.3:a:nginx:nginx:0.7.20
    cpe:2.3:a:nginx:nginx:0.7.20
  • cpe:2.3:a:nginx:nginx:0.7.21
    cpe:2.3:a:nginx:nginx:0.7.21
  • cpe:2.3:a:nginx:nginx:0.7.22
    cpe:2.3:a:nginx:nginx:0.7.22
  • cpe:2.3:a:nginx:nginx:0.7.23
    cpe:2.3:a:nginx:nginx:0.7.23
  • cpe:2.3:a:nginx:nginx:0.7.24
    cpe:2.3:a:nginx:nginx:0.7.24
  • cpe:2.3:a:nginx:nginx:0.7.25
    cpe:2.3:a:nginx:nginx:0.7.25
  • cpe:2.3:a:nginx:nginx:0.7.26
    cpe:2.3:a:nginx:nginx:0.7.26
  • cpe:2.3:a:nginx:nginx:0.7.27
    cpe:2.3:a:nginx:nginx:0.7.27
  • cpe:2.3:a:nginx:nginx:0.7.28
    cpe:2.3:a:nginx:nginx:0.7.28
  • cpe:2.3:a:nginx:nginx:0.7.29
    cpe:2.3:a:nginx:nginx:0.7.29
  • cpe:2.3:a:nginx:nginx:0.7.3
    cpe:2.3:a:nginx:nginx:0.7.3
  • cpe:2.3:a:nginx:nginx:0.7.30
    cpe:2.3:a:nginx:nginx:0.7.30
  • cpe:2.3:a:nginx:nginx:0.7.31
    cpe:2.3:a:nginx:nginx:0.7.31
  • cpe:2.3:a:nginx:nginx:0.7.32
    cpe:2.3:a:nginx:nginx:0.7.32
  • cpe:2.3:a:nginx:nginx:0.7.33
    cpe:2.3:a:nginx:nginx:0.7.33
  • cpe:2.3:a:nginx:nginx:0.7.34
    cpe:2.3:a:nginx:nginx:0.7.34
  • cpe:2.3:a:nginx:nginx:0.7.35
    cpe:2.3:a:nginx:nginx:0.7.35
  • cpe:2.3:a:nginx:nginx:0.7.36
    cpe:2.3:a:nginx:nginx:0.7.36
  • cpe:2.3:a:nginx:nginx:0.7.37
    cpe:2.3:a:nginx:nginx:0.7.37
  • cpe:2.3:a:nginx:nginx:0.7.38
    cpe:2.3:a:nginx:nginx:0.7.38
  • cpe:2.3:a:nginx:nginx:0.7.39
    cpe:2.3:a:nginx:nginx:0.7.39
  • cpe:2.3:a:nginx:nginx:0.7.4
    cpe:2.3:a:nginx:nginx:0.7.4
  • cpe:2.3:a:nginx:nginx:0.7.40
    cpe:2.3:a:nginx:nginx:0.7.40
  • cpe:2.3:a:nginx:nginx:0.7.41
    cpe:2.3:a:nginx:nginx:0.7.41
  • cpe:2.3:a:nginx:nginx:0.7.42
    cpe:2.3:a:nginx:nginx:0.7.42
  • cpe:2.3:a:nginx:nginx:0.7.43
    cpe:2.3:a:nginx:nginx:0.7.43
  • cpe:2.3:a:nginx:nginx:0.7.44
    cpe:2.3:a:nginx:nginx:0.7.44
  • cpe:2.3:a:nginx:nginx:0.7.45
    cpe:2.3:a:nginx:nginx:0.7.45
  • cpe:2.3:a:nginx:nginx:0.7.46
    cpe:2.3:a:nginx:nginx:0.7.46
  • cpe:2.3:a:nginx:nginx:0.7.47
    cpe:2.3:a:nginx:nginx:0.7.47
  • cpe:2.3:a:nginx:nginx:0.7.48
    cpe:2.3:a:nginx:nginx:0.7.48
  • cpe:2.3:a:nginx:nginx:0.7.49
    cpe:2.3:a:nginx:nginx:0.7.49
  • cpe:2.3:a:nginx:nginx:0.7.5
    cpe:2.3:a:nginx:nginx:0.7.5
  • cpe:2.3:a:nginx:nginx:0.7.50
    cpe:2.3:a:nginx:nginx:0.7.50
  • cpe:2.3:a:nginx:nginx:0.7.51
    cpe:2.3:a:nginx:nginx:0.7.51
  • cpe:2.3:a:nginx:nginx:0.7.52
    cpe:2.3:a:nginx:nginx:0.7.52
  • cpe:2.3:a:nginx:nginx:0.7.53
    cpe:2.3:a:nginx:nginx:0.7.53
  • cpe:2.3:a:nginx:nginx:0.7.54
    cpe:2.3:a:nginx:nginx:0.7.54
  • cpe:2.3:a:nginx:nginx:0.7.55
    cpe:2.3:a:nginx:nginx:0.7.55
  • cpe:2.3:a:nginx:nginx:0.7.56
    cpe:2.3:a:nginx:nginx:0.7.56
  • cpe:2.3:a:nginx:nginx:0.7.57
    cpe:2.3:a:nginx:nginx:0.7.57
  • cpe:2.3:a:nginx:nginx:0.7.58
    cpe:2.3:a:nginx:nginx:0.7.58
  • cpe:2.3:a:nginx:nginx:0.7.59
    cpe:2.3:a:nginx:nginx:0.7.59
  • cpe:2.3:a:nginx:nginx:0.7.6
    cpe:2.3:a:nginx:nginx:0.7.6
  • cpe:2.3:a:nginx:nginx:0.7.60
    cpe:2.3:a:nginx:nginx:0.7.60
  • cpe:2.3:a:nginx:nginx:0.7.61
    cpe:2.3:a:nginx:nginx:0.7.61
  • cpe:2.3:a:nginx:nginx:0.7.62
    cpe:2.3:a:nginx:nginx:0.7.62
  • cpe:2.3:a:nginx:nginx:0.7.63
    cpe:2.3:a:nginx:nginx:0.7.63
  • cpe:2.3:a:nginx:nginx:0.7.64
    cpe:2.3:a:nginx:nginx:0.7.64
  • cpe:2.3:a:nginx:nginx:0.7.65
    cpe:2.3:a:nginx:nginx:0.7.65
  • cpe:2.3:a:nginx:nginx:0.7.66
    cpe:2.3:a:nginx:nginx:0.7.66
  • cpe:2.3:a:nginx:nginx:0.7.67
    cpe:2.3:a:nginx:nginx:0.7.67
  • cpe:2.3:a:nginx:nginx:0.7.7
    cpe:2.3:a:nginx:nginx:0.7.7
  • cpe:2.3:a:nginx:nginx:0.7.8
    cpe:2.3:a:nginx:nginx:0.7.8
  • cpe:2.3:a:nginx:nginx:0.7.9
    cpe:2.3:a:nginx:nginx:0.7.9
  • cpe:2.3:a:nginx:nginx:0.8.0
    cpe:2.3:a:nginx:nginx:0.8.0
  • cpe:2.3:a:nginx:nginx:0.8.1
    cpe:2.3:a:nginx:nginx:0.8.1
  • cpe:2.3:a:nginx:nginx:0.8.10
    cpe:2.3:a:nginx:nginx:0.8.10
  • cpe:2.3:a:nginx:nginx:0.8.11
    cpe:2.3:a:nginx:nginx:0.8.11
  • cpe:2.3:a:nginx:nginx:0.8.12
    cpe:2.3:a:nginx:nginx:0.8.12
  • cpe:2.3:a:nginx:nginx:0.8.13
    cpe:2.3:a:nginx:nginx:0.8.13
  • cpe:2.3:a:nginx:nginx:0.8.14
    cpe:2.3:a:nginx:nginx:0.8.14
  • cpe:2.3:a:nginx:nginx:0.8.15
    cpe:2.3:a:nginx:nginx:0.8.15
  • cpe:2.3:a:nginx:nginx:0.8.16
    cpe:2.3:a:nginx:nginx:0.8.16
  • cpe:2.3:a:nginx:nginx:0.8.17
    cpe:2.3:a:nginx:nginx:0.8.17
  • cpe:2.3:a:nginx:nginx:0.8.18
    cpe:2.3:a:nginx:nginx:0.8.18
  • cpe:2.3:a:nginx:nginx:0.8.19
    cpe:2.3:a:nginx:nginx:0.8.19
  • cpe:2.3:a:nginx:nginx:0.8.2
    cpe:2.3:a:nginx:nginx:0.8.2
  • cpe:2.3:a:nginx:nginx:0.8.20
    cpe:2.3:a:nginx:nginx:0.8.20
  • cpe:2.3:a:nginx:nginx:0.8.21
    cpe:2.3:a:nginx:nginx:0.8.21
  • cpe:2.3:a:nginx:nginx:0.8.22
    cpe:2.3:a:nginx:nginx:0.8.22
  • cpe:2.3:a:nginx:nginx:0.8.23
    cpe:2.3:a:nginx:nginx:0.8.23
  • cpe:2.3:a:nginx:nginx:0.8.24
    cpe:2.3:a:nginx:nginx:0.8.24
  • cpe:2.3:a:nginx:nginx:0.8.25
    cpe:2.3:a:nginx:nginx:0.8.25
  • cpe:2.3:a:nginx:nginx:0.8.26
    cpe:2.3:a:nginx:nginx:0.8.26
  • cpe:2.3:a:nginx:nginx:0.8.27
    cpe:2.3:a:nginx:nginx:0.8.27
  • cpe:2.3:a:nginx:nginx:0.8.28
    cpe:2.3:a:nginx:nginx:0.8.28
  • cpe:2.3:a:nginx:nginx:0.8.29
    cpe:2.3:a:nginx:nginx:0.8.29
  • cpe:2.3:a:nginx:nginx:0.8.3
    cpe:2.3:a:nginx:nginx:0.8.3
  • cpe:2.3:a:nginx:nginx:0.8.30
    cpe:2.3:a:nginx:nginx:0.8.30
  • cpe:2.3:a:nginx:nginx:0.8.31
    cpe:2.3:a:nginx:nginx:0.8.31
  • cpe:2.3:a:nginx:nginx:0.8.32
    cpe:2.3:a:nginx:nginx:0.8.32
  • cpe:2.3:a:nginx:nginx:0.8.33
    cpe:2.3:a:nginx:nginx:0.8.33
  • cpe:2.3:a:nginx:nginx:0.8.34
    cpe:2.3:a:nginx:nginx:0.8.34
  • cpe:2.3:a:nginx:nginx:0.8.35
    cpe:2.3:a:nginx:nginx:0.8.35
  • cpe:2.3:a:nginx:nginx:0.8.36
    cpe:2.3:a:nginx:nginx:0.8.36
  • cpe:2.3:a:nginx:nginx:0.8.37
    cpe:2.3:a:nginx:nginx:0.8.37
  • cpe:2.3:a:nginx:nginx:0.8.38
    cpe:2.3:a:nginx:nginx:0.8.38
  • cpe:2.3:a:nginx:nginx:0.8.39
    cpe:2.3:a:nginx:nginx:0.8.39
  • cpe:2.3:a:nginx:nginx:0.8.4
    cpe:2.3:a:nginx:nginx:0.8.4
  • cpe:2.3:a:nginx:nginx:0.8.40
    cpe:2.3:a:nginx:nginx:0.8.40
  • cpe:2.3:a:nginx:nginx:0.8.41
    cpe:2.3:a:nginx:nginx:0.8.41
  • cpe:2.3:a:nginx:nginx:0.8.42
    cpe:2.3:a:nginx:nginx:0.8.42
  • cpe:2.3:a:nginx:nginx:0.8.43
    cpe:2.3:a:nginx:nginx:0.8.43
  • cpe:2.3:a:nginx:nginx:0.8.44
    cpe:2.3:a:nginx:nginx:0.8.44
  • cpe:2.3:a:nginx:nginx:0.8.45
    cpe:2.3:a:nginx:nginx:0.8.45
  • cpe:2.3:a:nginx:nginx:0.8.46
    cpe:2.3:a:nginx:nginx:0.8.46
  • cpe:2.3:a:nginx:nginx:0.8.47
    cpe:2.3:a:nginx:nginx:0.8.47
  • cpe:2.3:a:nginx:nginx:0.8.48
    cpe:2.3:a:nginx:nginx:0.8.48
  • cpe:2.3:a:nginx:nginx:0.8.49
    cpe:2.3:a:nginx:nginx:0.8.49
  • cpe:2.3:a:nginx:nginx:0.8.5
    cpe:2.3:a:nginx:nginx:0.8.5
  • cpe:2.3:a:nginx:nginx:0.8.50
    cpe:2.3:a:nginx:nginx:0.8.50
  • cpe:2.3:a:nginx:nginx:0.8.51
    cpe:2.3:a:nginx:nginx:0.8.51
  • cpe:2.3:a:nginx:nginx:0.8.52
    cpe:2.3:a:nginx:nginx:0.8.52
  • cpe:2.3:a:nginx:nginx:0.8.53
    cpe:2.3:a:nginx:nginx:0.8.53
  • cpe:2.3:a:nginx:nginx:0.8.6
    cpe:2.3:a:nginx:nginx:0.8.6
  • cpe:2.3:a:nginx:nginx:0.8.7
    cpe:2.3:a:nginx:nginx:0.8.7
  • cpe:2.3:a:nginx:nginx:0.8.8
    cpe:2.3:a:nginx:nginx:0.8.8
  • cpe:2.3:a:nginx:nginx:0.8.9
    cpe:2.3:a:nginx:nginx:0.8.9
  • cpe:2.3:a:nginx:nginx:0.9.0
    cpe:2.3:a:nginx:nginx:0.9.0
  • cpe:2.3:a:nginx:nginx:0.9.1
    cpe:2.3:a:nginx:nginx:0.9.1
  • cpe:2.3:a:nginx:nginx:0.9.2
    cpe:2.3:a:nginx:nginx:0.9.2
  • cpe:2.3:a:nginx:nginx:0.9.3
    cpe:2.3:a:nginx:nginx:0.9.3
  • cpe:2.3:a:nginx:nginx:0.9.4
    cpe:2.3:a:nginx:nginx:0.9.4
  • cpe:2.3:a:nginx:nginx:0.9.5
    cpe:2.3:a:nginx:nginx:0.9.5
  • cpe:2.3:a:nginx:nginx:0.9.6
    cpe:2.3:a:nginx:nginx:0.9.6
  • cpe:2.3:a:nginx:nginx:0.9.7
    cpe:2.3:a:nginx:nginx:0.9.7
  • Nginx 1.0.0
    cpe:2.3:a:nginx:nginx:1.0.0
  • Nginx 1.0.1
    cpe:2.3:a:nginx:nginx:1.0.1
  • Nginx 1.0.10
    cpe:2.3:a:nginx:nginx:1.0.10
  • Nginx 1.0.11
    cpe:2.3:a:nginx:nginx:1.0.11
  • Nginx 1.0.12
    cpe:2.3:a:nginx:nginx:1.0.12
  • Nginx 1.0.13
    cpe:2.3:a:nginx:nginx:1.0.13
  • Nginx 1.0.14
    cpe:2.3:a:nginx:nginx:1.0.14
  • Nginx 1.0.15
    cpe:2.3:a:nginx:nginx:1.0.15
  • Nginx 1.0.2
    cpe:2.3:a:nginx:nginx:1.0.2
  • Nginx 1.0.3
    cpe:2.3:a:nginx:nginx:1.0.3
  • Nginx 1.0.4
    cpe:2.3:a:nginx:nginx:1.0.4
  • Nginx 1.0.5
    cpe:2.3:a:nginx:nginx:1.0.5
  • Nginx 1.0.6
    cpe:2.3:a:nginx:nginx:1.0.6
  • Nginx 1.0.7
    cpe:2.3:a:nginx:nginx:1.0.7
  • Nginx 1.0.8
    cpe:2.3:a:nginx:nginx:1.0.8
  • Nginx 1.0.9
    cpe:2.3:a:nginx:nginx:1.0.9
  • Nginx 1.1.0
    cpe:2.3:a:nginx:nginx:1.1.0
  • Nginx 1.1.1
    cpe:2.3:a:nginx:nginx:1.1.1
  • Nginx 1.1.10
    cpe:2.3:a:nginx:nginx:1.1.10
  • Nginx 1.1.11
    cpe:2.3:a:nginx:nginx:1.1.11
  • Nginx 1.1.12
    cpe:2.3:a:nginx:nginx:1.1.12
  • Nginx 1.1.13
    cpe:2.3:a:nginx:nginx:1.1.13
  • Nginx 1.1.14
    cpe:2.3:a:nginx:nginx:1.1.14
  • Nginx 1.1.15
    cpe:2.3:a:nginx:nginx:1.1.15
  • Nginx 1.1.16
    cpe:2.3:a:nginx:nginx:1.1.16
  • Nginx 1.1.17
    cpe:2.3:a:nginx:nginx:1.1.17
  • Nginx 1.1.18
    cpe:2.3:a:nginx:nginx:1.1.18
  • Nginx 1.1.19
    cpe:2.3:a:nginx:nginx:1.1.19
  • Nginx 1.1.2
    cpe:2.3:a:nginx:nginx:1.1.2
  • Nginx 1.1.3
    cpe:2.3:a:nginx:nginx:1.1.3
  • Nginx 1.1.4
    cpe:2.3:a:nginx:nginx:1.1.4
  • Nginx 1.1.5
    cpe:2.3:a:nginx:nginx:1.1.5
  • Nginx 1.1.6
    cpe:2.3:a:nginx:nginx:1.1.6
  • Nginx 1.1.7
    cpe:2.3:a:nginx:nginx:1.1.7
  • Nginx 1.1.8
    cpe:2.3:a:nginx:nginx:1.1.8
  • Nginx 1.1.9
    cpe:2.3:a:nginx:nginx:1.1.9
  • Nginx 1.2.0
    cpe:2.3:a:nginx:nginx:1.2.0
  • Nginx 1.3.0
    cpe:2.3:a:nginx:nginx:1.3.0
  • Nginx 1.3.1
    cpe:2.3:a:nginx:nginx:1.3.1
  • Nginx 1.3.10
    cpe:2.3:a:nginx:nginx:1.3.10
  • Nginx 1.3.11
    cpe:2.3:a:nginx:nginx:1.3.11
  • Nginx 1.3.12
    cpe:2.3:a:nginx:nginx:1.3.12
  • Nginx 1.3.13
    cpe:2.3:a:nginx:nginx:1.3.13
  • Nginx 1.3.14
    cpe:2.3:a:nginx:nginx:1.3.14
  • Nginx 1.3.15
    cpe:2.3:a:nginx:nginx:1.3.15
  • Nginx 1.3.16
    cpe:2.3:a:nginx:nginx:1.3.16
  • Nginx 1.3.2
    cpe:2.3:a:nginx:nginx:1.3.2
  • Nginx 1.3.3
    cpe:2.3:a:nginx:nginx:1.3.3
  • Nginx 1.3.4
    cpe:2.3:a:nginx:nginx:1.3.4
  • Nginx 1.3.5
    cpe:2.3:a:nginx:nginx:1.3.5
  • Nginx 1.3.6
    cpe:2.3:a:nginx:nginx:1.3.6
  • Nginx 1.3.7
    cpe:2.3:a:nginx:nginx:1.3.7
  • Nginx 1.3.8
    cpe:2.3:a:nginx:nginx:1.3.8
  • Nginx 1.3.9
    cpe:2.3:a:nginx:nginx:1.3.9
  • Nginx 1.4.0
    cpe:2.3:a:nginx:nginx:1.4.0
  • Nginx 1.4.1
    cpe:2.3:a:nginx:nginx:1.4.1
  • Nginx 1.4.2
    cpe:2.3:a:nginx:nginx:1.4.2
  • Nginx 1.4.3
    cpe:2.3:a:nginx:nginx:1.4.3
  • Nginx 1.5.0
    cpe:2.3:a:nginx:nginx:1.5.0
  • Nginx 1.5.1
    cpe:2.3:a:nginx:nginx:1.5.1
  • Nginx 1.5.10
    cpe:2.3:a:nginx:nginx:1.5.10
  • Nginx 1.5.11
    cpe:2.3:a:nginx:nginx:1.5.11
  • Nginx 1.5.12
    cpe:2.3:a:nginx:nginx:1.5.12
  • Nginx 1.5.2
    cpe:2.3:a:nginx:nginx:1.5.2
  • Nginx 1.5.3
    cpe:2.3:a:nginx:nginx:1.5.3
  • Nginx 1.5.4
    cpe:2.3:a:nginx:nginx:1.5.4
  • Nginx 1.5.5
    cpe:2.3:a:nginx:nginx:1.5.5
  • Nginx 1.5.6
    cpe:2.3:a:nginx:nginx:1.5.6
  • Nginx 1.5.7
    cpe:2.3:a:nginx:nginx:1.5.7
  • Nginx 1.5.8
    cpe:2.3:a:nginx:nginx:1.5.8
  • Nginx 1.5.9
    cpe:2.3:a:nginx:nginx:1.5.9
  • cpe:2.3:a:nginx:nginx:1.5.13
    cpe:2.3:a:nginx:nginx:1.5.13
  • cpe:2.3:a:nginx:nginx:1.7.0
    cpe:2.3:a:nginx:nginx:1.7.0
  • cpe:2.3:a:nginx:nginx:1.7.1
    cpe:2.3:a:nginx:nginx:1.7.1
  • cpe:2.3:a:nginx:nginx:1.7.2
    cpe:2.3:a:nginx:nginx:1.7.2
  • cpe:2.3:a:nginx:nginx:1.7.3
    cpe:2.3:a:nginx:nginx:1.7.3
  • cpe:2.3:a:nginx:nginx:1.7.4
    cpe:2.3:a:nginx:nginx:1.7.4
CVSS
Base: 4.3 (as of 08-12-2014 - 12:55)
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-421.NASL
    description A virtual host confusion issue was found in nginx, allowing HTTPS connections for one origin to be redirected to the virtual host of a different origin. This leads to a variety of issues, such as cookie theft and session hijacking. It could be triggered from a cross-site scripting flaw, tricking a user into visiting a malicious URL, and so on.
    last seen 2019-01-16
    modified 2018-04-18
    plugin id 78364
    published 2014-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78364
    title Amazon Linux AMI : nginx (ALAS-2014-421)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-11251.NASL
    description - Security fix for CVE-2014-3616 - Create nginx-filesystem subpackage Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-05
    plugin id 77975
    published 2014-09-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77975
    title Fedora 21 : nginx-1.6.2-2.fc21 (2014-11251)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2351-1.NASL
    description Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that nginx incorrectly reused cached SSL sessions. An attacker could possibly use this issue in certain configurations to obtain access to information from a different virtual host. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 77808
    published 2014-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77808
    title Ubuntu 14.04 LTS : nginx vulnerability (USN-2351-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3029.NASL
    description Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it was possible to reuse cached SSL sessions in unrelated contexts, allowing virtual host confusion attacks in some configurations by an attacker in a privileged network position.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 77762
    published 2014-09-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77762
    title Debian DSA-3029-1 : nginx - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-11370.NASL
    description - Security fix for CVE-2014-3616 - Create nginx-filesystem subpackage Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-05
    plugin id 78242
    published 2014-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78242
    title Fedora 19 : nginx-1.4.7-3.fc19 (2014-11370)
  • NASL family Web Servers
    NASL id NGINX_1_7_5.NASL
    description According to the self-reported version in the server response header, the version of nginx installed on the remote host is 0.5.6 or higher, 1.6.x prior to 1.6.2, or 1.7.x prior to 1.7.5. It is, therefore, affected by an SSL session or TLS session ticket key handling error. A flaw exists in the file 'event/ngx_event_openssl.c' that could allow a remote attacker to obtain sensitive information or to take control of a session. Note that this issue only affects servers having multiple 'server{}' configurations sharing the same values for 'ssl_session_cache' or 'ssl_session_ticket_key'.
    last seen 2019-01-16
    modified 2018-09-17
    plugin id 78386
    published 2014-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78386
    title nginx < 1.6.2 / 1.7.5 SSL Session Reuse
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-11415.NASL
    description - Security fix for CVE-2014-3616 - Create nginx-filesystem subpackage Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-05
    plugin id 78243
    published 2014-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78243
    title Fedora 20 : nginx-1.4.7-3.fc20 (2014-11415)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_77B784BB3DC611E4B191F0DEF16C5C1B.NASL
    description The nginx project reports : Security: it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple 'server' blocks (CVE-2014-3616).
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 77717
    published 2014-09-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77717
    title FreeBSD : nginx -- inject commands into SSL session vulnerability (77b784bb-3dc6-11e4-b191-f0def16c5c1b)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-094.NASL
    description Updated nginx package fixes security vulnerabilities : A bug in the experimental SPDY implementation in nginx was found, which might allow an attacker to cause a heap memory buffer overflow in a worker process by using a specially crafted request, potentially resulting in arbitrary code execution (CVE-2014-0133). Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it was possible to reuse cached SSL sessions in unrelated contexts, allowing virtual host confusion attacks in some configurations by an attacker in a privileged network position (CVE-2014-3616).
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 82347
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82347
    title Mandriva Linux Security Advisory : nginx (MDVSA-2015:094)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-55.NASL
    description Antoine Delignat-Lavaud discovered that it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple 'server' blocks. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 82201
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82201
    title Debian DLA-55-1 : nginx security update
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201502-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201502-06 (nginx: Information disclosure) An SSL session fixation vulnerability has been found in nginx when multiple servers use the same shared ssl_session_cache or ssl_session_ticket_key. Impact : A remote attacker may be able to obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-01-16
    modified 2018-12-05
    plugin id 81229
    published 2015-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81229
    title GLSA-201502-06 : nginx: Information disclosure
refmap via4
debian DSA-3029
mlist [nginx-announce] 20140916 nginx security advisory (CVE-2014-3616)
Last major update 08-12-2014 - 12:55
Published 08-12-2014 - 06:59
Back to Top