250 matches found
CVE-2023-5044 vulnerabilities
Vulnerabilities for packages: ingress-nginx-controller...
Ingress NGINX Controller Injection Vulnerability
Ingress NGINX Controller is a Kubernetes open source entry controller for Kubernetes. A security vulnerability exists in Ingress NGINX Controller. An attacker can exploit this vulnerability to execute arbitrary commands...
GHSA-QPPJ-FM5R-HXR3 vulnerabilities
Vulnerabilities for packages: prometheus-adapter, kubeflow, terraform, aactl, dex, nats, kpt, external-dns, minio, kots, helm, gomplate, node-problem-detector, haproxy-ingress, secrets-store-csi-driver, gke-gcloud-auth-plugin, ollama, nghttp2, mc, gitness, cortex, src, rqlite, hey, cosign,...
CVE-2023-44487 vulnerabilities
Vulnerabilities for packages: prometheus-adapter, kubeflow, terraform, aactl, dex, nats, kpt, external-dns, minio, kots, helm, gomplate, node-problem-detector, haproxy-ingress, secrets-store-csi-driver, gke-gcloud-auth-plugin, ollama, nghttp2, mc, gitness, cortex, src, rqlite, hey, cosign,...
CVE-2021-25748
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the spec.rules.http.paths.path field of an Ingress object in the networking.k8s.io or extensions API group to obtain the credentials of...
K14631834: NGINX Controller vulnerability CVE-2020-5863
Security Advisory Description In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other...
K45263486: NGINX Controller vulnerability CVE-2021-23020
Security Advisory Description The NAAS API keys are generated using an insecure pseudo-random string and hashing algorithm, which may lead to predictable keys. CVE-2021-23020 Impact Local attackers are able to potentially generate a valid user key. Security Advisory Status F5 Product Development...
K27205552: NGINX Controller vulnerability CVE-2020-5864
Security Advisory Description Communication between NGINX Controller and NGINX Plus instances skip TLS verification by default. CVE-2020-5864 Impact This vulnerability enables a man-in-the-middle MITM attack that can intercept the communication channel and read/modify data in transit. Security...
K59209532: NGINX Controller NATS vulnerability CVE-2020-5910
Security Advisory Description The Neural Autonomic Transport System NATS messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized. CVE-2020-5910 Impact A malicious user with access to the host where NGINX...
K84084843: NGINX Controller installer vulnerability CVE-2020-5911
Security Advisory Description The NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system. CVE-2020-5911 Impact A man-in-the-middle MITM attacker can use this vulnerability to intercept the insecure HTTP channel and convincingly forge...
K95120415: NGINX Controller AVRD vulnerability CVE-2020-5895
Security Advisory Description AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. A local system attacker can make AVRD segmentation fault SIGSEGV by writing malformed messages to the...
K25434422: NGINX Controller vulnerability CVE-2020-5899
Security Advisory Description Recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of...
K43520321: NGINX Controller API Vulnerability CVE-2020-5901
Security Advisory Description Undisclosed API endpoints may allow for a reflected Cross Site Scripting XSS attack. If the victim user is logged in as admin this could result in a complete compromise of the system. CVE-2020-5901 Impact For the attack to occur, a user must visit a specially crafted...
K11922628: NGINX Controller sensitive command-line arguments vulnerability CVE-2020-5866
Security Advisory Description The helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments. CVE-2020-5866 Impact The affected script causes sensitive items to display in the system process listing ps , top while the helper.s...
K00958787: NGINX Controller vulnerability CVE-2020-5867
Security Advisory Description The NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages. CVE-2020-5867 Impact A man-in-the-middle MITM attacker can use this vulnerability to intercept the insecure HTTP channel and convincingly forge any...
K97002210: NGINX Controller vulnerability CVE-2021-23018
Security Advisory Description Intra-cluster communication does not use TLS. The services within the NGINX Controller namespace are using cleartext protocols inside the cluster. CVE-2021-23018 Impact Attackers with access to cluster may have the ability to read and modify the data being sent betwe...
K31044532: NGINX Controller vulnerability CVE-2020-5900
Security Advisory Description Insufficient cross-site request forgery CSRF protections for the NGINX Controller user interface. CVE-2020-5900 Impact An attacker can exploit this vulnerability by enticing a victim user to follow a malicious link. A successful exploit can allow the attacker to...
K31150658: NGINX Controller vulnerability CVE-2020-5909
Security Advisory Description When users run the command displayed in NGINX Controller user interface UI to fetch the agent installer, the server TLS certificate is not verified. CVE-2020-5909 Impact A man-in-the-middle MITM attacker can intercept the communication channel and read/modify data in...
K57735782: NGINX Controller API Management vulnerability CVE-2022-23008
Security Advisory Description An authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. CVE-2022-23008 Impact Successful exploitation...
K13028514: NGINX Controller webserver vulnerability CVE-2020-5894
Security Advisory Description The NGINX Controller webserver does not invalidate the server-side session token after users log out. CVE-2020-5894 Impact An attacker that successfully extracted a valid session token can use it before it expires on the server-side, even if the valid user has logged...