[GSD-2022-1000285] GSD Request
GSD-automation opened this issue · 1 comments
GSD-automation commented
--- GSD JSON ---
{
"vendor_name": "Nginx",
"product_name": "Nginx",
"product_version": "all version",
"vulnerability_type": "Unsafe default configuration values",
"affected_component": "web server",
"attack_vector": "network",
"impact": "disclosure of information and availability",
"credit": "",
"references": [
"https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#unsecured-metrics"
],
"reporter": "kurtseifried",
"reporter_id": 582211,
"notes": "",
"description": "# INFORMATIONAL\r\n\r\nIn Nginx, all versions, a number of unsafe default configuration values exists in the web server that can be attacked via the network resulting in disclosure of information and availability. These include but are not limited to:\r\n\r\n1. Not enough file descriptors per worker\r\n2. The error_log off directive\r\n3. Not enabling keepalive connections to upstream servers\r\n4. Forgetting how directive inheritance works\r\n5. The proxy_buffering off directive\r\n6. Improper use of the if directive\r\n7. Excessive health checks\r\n8. Unsecured access to metrics\r\n9. Using ip_hash when all traffic comes from the same /24 CIDR block\r\n10. Not taking advantage of upstream groups\r\n"
}
--- GSD JSON ---
/cc @kurtseifried
GSD-automation commented
This issue has been assigned GSD-2022-1000285