The NGINX Controller Agent installer script ‘install.sh’ uses HTTP instead of HTTPS to check and install packages. (CVE-2020-5867)
Impact
A man-in-the-middle (MITM) attacker can use this vulnerability to intercept the insecure HTTP channel and convincingly forge any packages and get the malicious packages installed on the NGINX Plus instance.