Lucene search
K
F5Nginx Controller

18 matches found

CVE
CVE
added 2020/03/27 2:35 p.m.166 views

CVE-2020-5863

NGINX Controller (versions before 3.2.0) is affected by an access-control vulnerability in the Controller API: an unauthenticated remote attacker can create unprivileged user accounts and upload a license, with no ability to view or modify other components. Root cause is improper API access contr...

8.6CVSS8.6AI score0.01122EPSS
CVE
CVE
added 2020/12/11 7:3 p.m.96 views

CVE-2020-27730

CVE-2020-27730 affects the NGINX Controller Agent : versions 1.0.1, 2.0.0–2.9.0, and 3.0.0–3.9.0 do not use absolute paths when invoking system utilities, enabling a local attacker to escalate privileges to root and execute arbitrary code. Public disclosures from Red Hat and F5 corroborate the vu...

9.8CVSS9.4AI score0.01693EPSS
CVE
CVE
added 2020/05/07 12:28 p.m.77 views

CVE-2020-5895

CVE-2020-5895 affects NGINX Controller AVRD in versions 3.1.0–3.3.0, where AVRD sockets are world-readable and world-writable, allowing a local attacker to write arbitrary data and trigger a segmentation fault by sending malformed messages. Remediation: upgrade to 3.4.0 (per advisory) and/or depl...

7.8CVSS7.5AI score0.00292EPSS
CVE
CVE
added 2021/06/01 11:51 a.m.72 views

CVE-2021-23018

The CVE-2021-23018 issue affects NGINX Controller 3.x deployments where intra-cluster communication does not use TLS, leaving cleartext traffic between services inside the cluster. Affected versions are 3.x prior to 3.4.0. Root cause is unencrypted intra-cluster channels, enabling potential read/...

7.4CVSS7.4AI score0.00544EPSS
CVE
CVE
added 2021/06/01 12:3 p.m.70 views

CVE-2021-23019

The CVE-2021-23019 entry applies to NGINX Controller, affecting versions 2.0.0 through 2.9.0 and 3.x before 3.15.0. The root cause is exposure of the Administrator password in the systemd.txt file included in the NGINX support package. This credential exposure is the stated impact. Mitigation pro...

7.8CVSS7.7AI score0.00239EPSS
CVE
CVE
added 2021/06/01 12:23 p.m.67 views

CVE-2021-23021

CVE-2021-23021 affects NGINX Controller 3.x prior to 3.7.0. The vulnerability arises from the agent configuration file /etc/controller-agent/agent.conf being world-readable (644), enabling local attackers to access sensitive data (e.g., API keys). Remediation per multiple sources: upgrade to NGIN...

5.5CVSS6AI score0.00229EPSS
CVE
CVE
added 2020/04/23 7:58 p.m.64 views

CVE-2020-5867

The CVE-2020-5867 issue affects the NGINX Controller Agent installer script (install.sh) used by the NGINX Controller. In versions prior to 3.3.0, it uses HTTP instead of HTTPS to check and install packages, creating a MITM risk where malicious packages could be forged and installed on affected N...

8.1CVSS8AI score0.004EPSS
CVE
CVE
added 2021/06/01 12:14 p.m.64 views

CVE-2021-23020

CVE-2021-23020 affects F5 NGINX Controller (NGINX Controller, NAAS API keys) where API keys are generated with an insecure pseudo-random string and hashing algorithm, potentially allowing a local attacker to predict/generate valid keys for access. Exploitation status is not detailed in the provid...

5.5CVSS6AI score0.00255EPSS
CVE
CVE
added 2020/05/07 12:25 p.m.61 views

CVE-2020-5894

The CVE-2020-5894 issue affects NGINX Controller webserver versions 3.0.0–3.3.0. The root cause is that server-side session tokens are not invalidated after logout, enabling a remote attacker who has a valid token to reuse it until it expires. The official advisory indicates that upgrades to 3.4....

8.1CVSS8AI score0.01019EPSS
CVE
CVE
added 2020/07/01 2:1 p.m.61 views

CVE-2020-5899

The CVE-2020-5899 issue affects NGINX Controller (3.0.0–3.4.0). The recovery/token used to change a user’s password is transmitted and stored in the database in plaintext, enabling an attacker with DB access or interception to request a password reset for another user and retrieve the recovery co...

7.8CVSS7.5AI score0.00185EPSS
CVE
CVE
added 2020/07/02 12:25 p.m.60 views

CVE-2020-5910

CVE-2020-5910 affects NGINX Controller’s NATS messaging service. Affected versions are 3.0.0–3.5.0, 2.0.0–2.9.0, and 1.0.1, where NATS does not require authentication, allowing any successful connection to be authorized. Impact described includes potential eavesdropping and unauthorized access to...

7.5CVSS7.5AI score0.01154EPSS
CVE
CVE
added 2020/07/01 2:3 p.m.57 views

CVE-2020-5901

CVE-2020-5901 affects NGINX Controller 3.3.0–3.4.0 . An undisclosed API endpoint may enable a reflected Cross‑Site Scripting (XSS) attack; if the victim is logged in as an administrator, this can lead to complete system compromise. The CVSSv3 base score is 9.6 (CRITICAL) with web‑network exposure...

9.6CVSS8.7AI score0.01466EPSS
CVE
CVE
added 2020/07/02 12:23 p.m.56 views

CVE-2020-5911

The CVE-2020-5911 issue affects NGINX Controller installer on Debian/Ubuntu, where versions 3.0.0–3.5.0, 2.0.0–2.9.0, and 1.0.1 download Kubernetes packages over HTTP, enabling MITM risks. The associated advisory from F5 lists vulnerable versions and states fixes were introduced in 3.6.0; remedia...

7.5CVSS7.2AI score0.01006EPSS
CVE
CVE
added 2020/04/23 6:16 p.m.54 views

CVE-2020-5865

The CVE-2020-5865 issue affects NGINX Controller versions prior to 3.3.0, where the Controller communicates with its Postgres database over unencrypted channels. This enables man-in-the-middle interception of data in transit and, as described in the advisory, could allow an attacker to modify use...

5.8CVSS5AI score0.0039EPSS
CVE
CVE
added 2020/07/02 12:26 p.m.54 views

CVE-2020-5909

CVE-2020-5909 affects NGINX Controller versions 1.0.1, 2.0.0–2.9.0, and 3.0.0–3.5.0, where the server TLS certificate is not verified when running the command in the UI to fetch the agent installer. Red Hat and F5 advisories confirm this enables MITM interception/read/modify of in-transit data. T...

5.8CVSS5.5AI score0.004EPSS
CVE
CVE
added 2020/04/23 6:32 p.m.53 views

CVE-2020-5864

The CVE-2020-5864 issue affects NGINX Controller (NGINX Controller) versions prior to 3.2.0, where the communication with NGINX Plus instances omits TLS verification by default. This creates a MITM risk in transit between the controller and data plane components. The advisory indicates the vulner...

7.4CVSS7.4AI score0.01033EPSS
CVE
CVE
added 2020/07/01 1:59 p.m.52 views

CVE-2020-5900

CVE-2020-5900 affects NGINX Controller components across versions 1.0.1, 2.0.0–2.9.0, and 3.0.0–3.4.0, with insufficient CSRF protections on the user interface. The Red Hat and F5 advisories confirm the vulnerability allows an attacker to induce the victim to perform arbitrary actions in the web ...

8.8CVSS8.8AI score0.00452EPSS
CVE
CVE
added 2020/04/23 6:37 p.m.49 views

CVE-2020-5866

The CVE affects F5 NGINX Controller pre-3.3.0: the helper.sh script that is used to change settings accepts sensitive items as command-line arguments. This can cause sensitive data to be exposed in system process listings (ps/top) and stored in bash history; audit logs may also capture them if en...

5.5CVSS5.4AI score0.00326EPSS