CVE-2018-16845 — Vulnetix

Try Vulnetix Request Demo

CVE-2018-16845 PUBLISHED

nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.

EPSS 6.33% · 90.9th percentile

Risk Scores

EPSS Score

6.33%

90.9th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:16.04:LTS	nginx	1.9.6-2ubuntu2, 1.10.3-0ubuntu0.16.04.2, 1.10.3-0ubuntu0.16.04.1
Ubuntu:18.04:LTS	nginx	1.14.0-0ubuntu1.1, 0, 1.12.1-0ubuntu2
Ubuntu:14.04:LTS	nginx	1.4.6-1ubuntu3.1, 1.4.6-1ubuntu3, 1.4.6-1ubuntu2

Timeline

Nov 6, 2018 CVE Published
Apr 14, 2021 EPSS Score
Dec 17, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Mar 17, 2025 EPSS Score
Mar 29, 2025 EPSS Score
Mar 30, 2025 EPSS Score
May 1, 2025 EPSS Score
May 15, 2025 EPSS Score
Jun 1, 2025 EPSS Score
Jun 4, 2025 EPSS Score
Jul 1, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2018-16845 third-party-advisory
http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html third-party-advisory
https://ubuntu.com/security/notices/USN-3812-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2018-16845 third-party-advisory

Open in Interactive Console →