Nginx Restriction Bypass via Space Character in URI

Description

A bug in Nginx allows an attacker to bypass security restrictions in certain configurations by using a specially crafted request. Some checks on a request URI are not executed on a character following an unescaped space character.

Recommendation

Upgrade the Nginx.

As a temporary workaround the following configuration can be used in each server{} block.

if ($request_uri ~ " ") {
    return 444;
}

References

• nginx security advisory
• CWE-116
• CVE-2013-4547
• Nginx
• OWASP 2017-A9
• OWASP 2021-A6