Fedora 42 update for nginx, nginx-mod-fancyindex, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts

1) Improper authentication

EUVDB-ID: #VU103686

Risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-23419

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an TLS session resumption when handling client certificate authentication. A remote attacker can bypass authentication process and gain unauthorized access to the application.

Successful exploitation of the vulnerability requires that name-based virtual hosts are configured to share the same IP address and port combination and have TLS 1.3 and OpenSSL. This vulnerability arises when TLS session tickets are used and/or the SSL session cache is used in the default virtual server and the default virtual server is performing client certificate authentication.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 42

nginx-mod-vts: before 0.2.3-3.fc42

nginx-mod-naxsi: before 1.6-9.fc42

nginx-mod-modsecurity: before 1.0.3-16.fc42

nginx-mod-fancyindex: before 0.5.2-10.fc42

nginx: before 1.26.3-1.fc42

CPE2.3

• cpe:2.3:o:fedoraproject:fedora:42:*:*:*:*:*:*:*
• cpe:2.3:a:fedoraproject:nginx-mod-vts:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:nginx-mod-naxsi:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:nginx-mod-modsecurity:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:nginx-mod-fancyindex:*:*:*:*:*:fedora:*:*
• cpe:2.3:a:fedoraproject:nginx:*:*:*:*:*:fedora:*:*

External links

https://bodhi.fedoraproject.org/updates/FEDORA-2025-d5a48cff6d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.