CVE-2020-5865

In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via man-in-the-middle MiTM attacks...

CVE-2020-5864

In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default...

CVE-2020-5864

In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default...

Command injection

In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments...

Default credentials

In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default...

Code injection

In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via man-in-the-middle MiTM attacks...

CVE-2020-5866

In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments...

CVE-2020-5866

The CVE affects F5 NGINX Controller pre-3.3.0: the helper.sh script that is used to change settings accepts sensitive items as command-line arguments. This can cause sensitive data to be exposed in system process listings (ps/top) and stored in bash history; audit logs may also capture them if en...

CVE-2020-5864

In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default...

CVE-2020-5865

The CVE-2020-5865 issue affects NGINX Controller versions prior to 3.3.0, where the Controller communicates with its Postgres database over unencrypted channels. This enables man-in-the-middle interception of data in transit and, as described in the advisory, could allow an attacker to modify use...

OS Command Injection

strong-nginx-controller is vulnerable to OS command injection. Lack of validation and sanitization of the action parameter allows an attacker to inject and execute arbitrary OS commands via the nginxCmd function...

IBM strong-nginx-controller injection vulnerability

IBM strong-nginx-controller is a Nginx server controller from IBM, USA. An injection vulnerability exists in IBM strong-nginx-controller version 1.0.2 and earlier. A remote attacker can exploit the vulnerability to execute arbitrary commands with the first parameter of the 'nginxCmd' function...

Command injection

strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the 'nginxCmd' function...

CVE-2020-7621

The vulnerability affects strong-nginx-controller up to version 1.0.2, where a Command Injection flaw exists in the _nginxCmd() function that could allow an attacker to execute arbitrary commands. The issue is rooted in improper input handling within the module, leading to potential remote comman...

Command Injection

Overview strong-nginx-controller is a module that Provides reverse-proxy and load-balancning support for multiple strong-pm instances configured and run using StrongLoop Arc. Affected versions of this package are vulnerable to Command Injection. The first argument of function nginxCmd can be...

strong-arc (>=1.8.6 <=1.8.9), strong-mesh-client (>=1.3.5 <=2.0.2) +1 more potentially affected by CVE-2020-7621 via strong-nginx-controller (=1.0.2)

strong-nginx-controller NPM version =1.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on strong-nginx-controller and may be impacted: - strong-arc =1.8.6, =1.3.5, =6.0.1, =6.0.3 Source cves: CVE-2020-7621 Source advisory:...

NGINX Controller Access Control Error Vulnerability

NGINX is a lightweight Web server/reverse proxy server and e-mail IMAP/POP3 proxy server from the U.S. company NGINX. A security vulnerability exists in NGINX Controller versions prior to 3.2.0, which stems from a failure of the Controller API to perform proper access control. The vulnerability c...

CVE-2020-5863

In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other components of the system...

CVE-2020-5863

In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other components of the system...

Design/Logic Flaw

In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other components of the system...