PT-2014-11: Information Disclosure in nginx Vulnerable softwarenginx Version: 1.7.3 and earlierLink: http://nginx.org/Severity levelSeverity level: Low Impact: Information Disclosure Access Vector: Local CVSS v2: Base Score: 1.9 Vector: (AV:L/AC:M/Au:N/C:P/I:N/A:N)CVE: not assignedSoftware descriptionnginx [engine x] is an HTTP and reverse proxy server, as well as a mail proxy server.Vulnerability descriptionThe specialists of the Positive Research center have detected an Information Disclosure vulnerability in nginx.URI normalization function does not properly handle the transmitted values, thus an attacker can disclose memory areas using a web server log.Update your sofware up to the latest versionAdvisory status 18.07.2014 - Vendor gets vulnerability details 05.08.2014 - Vendor releases fixed version and details 05.09.2014 - Public disclosureCreditsThe vulnerability was detected by Sergey Bobrov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2014-11 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/