Nginx have announced a fix to an information disclosure vulnerability arising from an integer overflow when multiple ranges are requested (via the HTTP Range header)
When using nginx with standard modules this allows an attacker to
obtain a cache file header if a response was returned from cache.
In some configurations a cache file header may contain IP address
of the backend server or other sensitive information.
The issue affects a wide range of versions
- nginx 0.5.6 - 1.13.2.
The issue is fixed in nginx 1.13.3, 1.12.1.
There's a known mitigation - limiting the number of ranges permitted in a request to 1 (which suggests it should be possible to exploit with just 2 ranges)