CVE-2017-20005

Summary

CVE	CVE-2017-20005
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-06-06 22:15:00 UTC
Updated	2021-12-02 19:43:00 UTC
Description	NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module.

Risk And Classification

Problem Types: CWE-190

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	F5	Nginx	All	All	All	All
Application	Nginx	Nginx	All	All	All	All

References

Reference	Source	Link	Tags
Introduced time truncation to December 31, 9999 (ticket #1368). · nginx/nginx@b900cc2 · GitHub	MISC	github.com
Fixed ngx_gmtime() on 32-bit platforms with 64-bit time_t. · nginx/nginx@0206ebe · GitHub	MISC	github.com
nginx.org/en/CHANGES	MISC	nginx.org
[SECURITY] [DLA 2680-1] nginx security update	MLIST	lists.debian.org
CVE-2017-20005 NGINX Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
#1368 (Date oveflow problems with ngx_gmtime()) – nginx	MISC	trac.nginx.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

178663 Debian Security Update for nginx (DLA 2680-1)
670654 EulerOS Security Update for nginx (EulerOS-SA-2021-2412)
670718 EulerOS Security Update for nginx (EulerOS-SA-2021-2476)
671013 EulerOS Security Update for nginx (EulerOS-SA-2021-2599)