
Remote code execution vulnerability in most recent versions of the Nginx server - LinuxBender
https://twitter.com/alisaesage/status/1134400951043874816
======
w-ll
It appears to be an overflow in NJS

[https://github.com/nginx/njs/issues/159](https://github.com/nginx/njs/issues/159)

[https://github.com/nginx/njs/issues/131](https://github.com/nginx/njs/issues/131)

~~~
LinuxBender
nginx confirms [1]

> Thank you Alisa and ZDI for the report. ZDI-CAN-8296 & ZDI-CAN-8495 are
> tracked as
> [https://github.com/nginx/njs/issues/131](https://github.com/nginx/njs/issues/131)
> … and
> [https://github.com/nginx/njs/issues/159](https://github.com/nginx/njs/issues/159)
> …. ZDI-CAN-8296 was fixed in the nJS 0.3.2 release, and ZDI-CAN-8495 will be
> fixed in 0.3.3. Neither bug appears to be generally exploitable.

I am just guessing, but probably only people using NJS have this module
compiled.

[1] -
[https://twitter.com/nginx/status/1134522763731800065](https://twitter.com/nginx/status/1134522763731800065)

