Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN125
_____________________________________________________________________

DATE                : 05/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running NGINX versions prior to 1.29.5+,
                                        1.28.2+.

=====================================================================
https://nginx.org/en/security_advisories.html
https://github.com/advisories/GHSA-7chh-rv6q-8pp3
_____________________________________________________________________

SSL upstream injection
Severity: medium
Advisory
CVE-2026-1642
Not vulnerable: 1.29.5+, 1.28.2+
Vulnerable: 1.3.0-1.29.4
_____________________________________________________________________


A vulnerability exists in NGINX OSS and NGINX Plus when...
High severity Unreviewed Published Feb 4, 2026 to the GitHub Advisory 
Database • Updated Feb 5, 2026

Package
No package listed— Suggest a package

Affected versions
Unknown

Patched versions
Unknown


Description

A vulnerability exists in NGINX OSS and NGINX Plus when configured to 
proxy to upstream Transport Layer Security (TLS) servers. An attacker 
with a man-in-the-middle (MITM) position on the upstream server 
side—along with conditions beyond the attacker's control—may be able 
to inject plain text data into the response from an upstream proxied 
server.  Note: Software versions which have reached End of Technical 
Support (EoTS) are not evaluated.


References

    https://nvd.nist.gov/vuln/detail/CVE-2026-1642
    https://my.f5.com/manage/s/article/K000159824
    http://www.openwall.com/lists/oss-security/2026/02/05/1


Severity
High
8.2/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity High
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:
X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X
/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS score

Weaknesses
Weakness CWE-349

CVE ID
CVE-2026-1642

GHSA ID
GHSA-7chh-rv6q-8pp3

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================