K11922628 : NGINX Controller sensitive command-line arguments vulnerability CVE-2020-5866

Security Advisory Description

The helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments. (CVE-2020-5866)

Impact

The affected script causes sensitive items to display in the system process listing (ps,top) while the**helper.sh script is running. Other users on the NGINX Controller system can see those sensitive items. The sensitive items are also stored in thebash** history; if you have enabled audit logging for the command line, the sensitive items are also stored in the audit log.

If an attacker can access the sensitive items, the attacker might use the information to launch an attack against the affected host and other related NGINX Controller resources.