Search criteria
54 vulnerabilities found for nginx_controller by f5
FKIE_CVE-2021-23021
Vulnerability from fkie_nvd - Published: 2021-06-01 13:15 - Updated: 2024-11-21 05:51
Severity ?
Summary
The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://support.f5.com/csp/article/K36926027 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.f5.com/csp/article/K36926027 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx_controller | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ECFB4C06-AF5C-4F1E-8245-B78E13266219",
"versionEndExcluding": "3.7.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644."
},
{
"lang": "es",
"value": "El archivo de configuraci\u00f3n /etc/controller-agent/agent.conf del agente de Nginx Controller 3.x versiones anteriores a la 3.7.0 es world readable con los bits de permiso actuales establecidos en 644"
}
],
"id": "CVE-2021-23021",
"lastModified": "2024-11-21T05:51:10.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-01T13:15:08.010",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K36926027"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K36926027"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "f5sirt@f5.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23020
Vulnerability from fkie_nvd - Published: 2021-06-01 13:15 - Updated: 2024-11-21 05:51
Severity ?
Summary
The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://support.f5.com/csp/article/K45263486 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.f5.com/csp/article/K45263486 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx_controller | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B65DAE6C-1EE0-4B1B-B4A1-FA108D3EFA15",
"versionEndExcluding": "3.10.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys."
},
{
"lang": "es",
"value": "Las claves de la API de NAAS 3.x anteriores a la 3.10.0 se generaron usando una cadena pseudoaleatoria no segura y un algoritmo hash que podr\u00eda conllevar a claves predecibles"
}
],
"id": "CVE-2021-23020",
"lastModified": "2024-11-21T05:51:09.907",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-01T13:15:07.960",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K45263486"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K45263486"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-330"
}
],
"source": "f5sirt@f5.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-330"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23019
Vulnerability from fkie_nvd - Published: 2021-06-01 13:15 - Updated: 2024-11-21 05:51
Severity ?
Summary
The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://support.f5.com/csp/article/K04884013 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.f5.com/csp/article/K04884013 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx_controller | * | |
| f5 | nginx_controller | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CA86CB0-F33A-4B9C-AAFC-8AC3F0071A31",
"versionEndIncluding": "2.9.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2191FCCA-DFCF-4645-A90C-A850ED5FF205",
"versionEndExcluding": "3.15.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package."
},
{
"lang": "es",
"value": "La contrase\u00f1a de administrador NGINX Controller versiones 2.0.0 a 2.9.0 y 3.x versiones anteriores a 3.15.0 puede estar expuesta en el archivo systemd.txt que se incluye en el paquete de soporte de NGINX"
}
],
"id": "CVE-2021-23019",
"lastModified": "2024-11-21T05:51:09.797",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.9,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-01T13:15:07.907",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K04884013"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K04884013"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-201"
}
],
"source": "f5sirt@f5.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-23018
Vulnerability from fkie_nvd - Published: 2021-06-01 12:15 - Updated: 2024-11-21 05:51
Severity ?
Summary
Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://support.f5.com/csp/article/K97002210 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.f5.com/csp/article/K97002210 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx_controller | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "064A19E8-57A9-4C34-B84C-54F3F0A9DA40",
"versionEndIncluding": "3.4.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster."
},
{
"lang": "es",
"value": "Una comunicaci\u00f3n dentro del cl\u00faster no usa TLS. Los servicios dentro del espacio de nombres de NGINX Controller 3.x versiones anteriores a 3.4.0 estan usando protocolos de texto sin cifrar dentro del cl\u00faster"
}
],
"id": "CVE-2021-23018",
"lastModified": "2024-11-21T05:51:09.680",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-01T12:15:07.720",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K97002210"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K97002210"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "f5sirt@f5.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-27730
Vulnerability from fkie_nvd - Published: 2020-12-11 20:15 - Updated: 2024-11-21 05:21
Severity ?
Summary
In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://security.netapp.com/advisory/ntap-20210115-0004/ | Third Party Advisory | |
| f5sirt@f5.com | https://support.f5.com/csp/article/K43530108 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20210115-0004/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.f5.com/csp/article/K43530108 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx_controller | * | |
| f5 | nginx_controller | * | |
| f5 | nginx_controller | 1.0.1 | |
| netapp | cloud_backup | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CA86CB0-F33A-4B9C-AAFC-8AC3F0071A31",
"versionEndIncluding": "2.9.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B65DAE6C-1EE0-4B1B-B4A1-FA108D3EFA15",
"versionEndExcluding": "3.10.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_controller:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D96CC675-BA26-4E41-B8F1-63F643E022D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5C2089EE-5D7F-47EC-8EA5-0F69790564C4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities."
},
{
"lang": "es",
"value": "En versiones 3.0.0-3.9.0, 2.0.0-2.9.0 y 1.0.1, el NGINX Controller Agent no usa rutas absolutas cuando llaman a las utilidades del sistema"
}
],
"id": "CVE-2020-27730",
"lastModified": "2024-11-21T05:21:42.803",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-11T20:15:16.643",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210115-0004/"
},
{
"source": "f5sirt@f5.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K43530108"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210115-0004/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K43530108"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-5910
Vulnerability from fkie_nvd - Published: 2020-07-02 13:15 - Updated: 2024-11-21 05:34
Severity ?
Summary
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://support.f5.com/csp/article/K59209532 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.f5.com/csp/article/K59209532 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx_controller | * | |
| f5 | nginx_controller | * | |
| f5 | nginx_controller | 1.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CA86CB0-F33A-4B9C-AAFC-8AC3F0071A31",
"versionEndIncluding": "2.9.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B096D372-9687-436E-AD7E-452260DE5774",
"versionEndIncluding": "3.5.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_controller:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D96CC675-BA26-4E41-B8F1-63F643E022D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized."
},
{
"lang": "es",
"value": "En las versiones 3.0.0 hasta 3.5.0, 2.0.0 hasta 2.9.0 y 1.0.1, los servicios de mensajer\u00eda de Neural Autonomic Transport System (NATS) que utiliza NGINX Controller no requieren ninguna forma de autenticaci\u00f3n, por lo que cualquier conexi\u00f3n con \u00e9xito ser\u00eda autorizada"
}
],
"id": "CVE-2020-5910",
"lastModified": "2024-11-21T05:34:48.707",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-02T13:15:10.373",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K59209532"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K59209532"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-5911
Vulnerability from fkie_nvd - Published: 2020-07-02 13:15 - Updated: 2024-11-21 05:34
Severity ?
Summary
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://support.f5.com/csp/article/K84084843 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.f5.com/csp/article/K84084843 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx_controller | * | |
| f5 | nginx_controller | * | |
| f5 | nginx_controller | 1.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CA86CB0-F33A-4B9C-AAFC-8AC3F0071A31",
"versionEndIncluding": "2.9.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B096D372-9687-436E-AD7E-452260DE5774",
"versionEndIncluding": "3.5.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_controller:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D96CC675-BA26-4E41-B8F1-63F643E022D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system."
},
{
"lang": "es",
"value": "En las versiones 3.0.0 hasta 3.5.0, 2.0.0 hasta 2.9.0 y 1.0.1, el NGINX Controller inicia la descarga de los paquetes de Kubernetes desde una URL HTTP en el sistema Debian/Ubuntu"
}
],
"id": "CVE-2020-5911",
"lastModified": "2024-11-21T05:34:48.807",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-02T13:15:10.437",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K84084843"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K84084843"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-5909
Vulnerability from fkie_nvd - Published: 2020-07-02 13:15 - Updated: 2024-11-21 05:34
Severity ?
Summary
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://support.f5.com/csp/article/K31150658 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.f5.com/csp/article/K31150658 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx_controller | * | |
| f5 | nginx_controller | * | |
| f5 | nginx_controller | 1.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CA86CB0-F33A-4B9C-AAFC-8AC3F0071A31",
"versionEndIncluding": "2.9.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B096D372-9687-436E-AD7E-452260DE5774",
"versionEndIncluding": "3.5.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_controller:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D96CC675-BA26-4E41-B8F1-63F643E022D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified."
},
{
"lang": "es",
"value": "En las versiones 3.0.0 hasta 3.5.0, 2.0.0 hasta 2.9.0 y 1.0.1, cuando los usuarios ejecutan el comando desplegado en la Interfaz de Usuario (UI) del NGINX Controller para obtener el instalador del agente, el certificado TLS del servidor no es verificado"
}
],
"id": "CVE-2020-5909",
"lastModified": "2024-11-21T05:34:48.597",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-02T13:15:10.310",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K31150658"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K31150658"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-5901
Vulnerability from fkie_nvd - Published: 2020-07-01 15:15 - Updated: 2024-11-21 05:34
Severity ?
Summary
In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://support.f5.com/csp/article/K43520321 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.f5.com/csp/article/K43520321 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx_controller | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95A0888F-9995-4091-B4DF-9D442A13E916",
"versionEndIncluding": "3.4.0",
"versionStartIncluding": "3.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system."
},
{
"lang": "es",
"value": "En NGINX Controller versiones 3.3.0 hasta 3.4.0, los endpoints de la API no revelados pueden permitir un ataque de tipo Cross Site Scripting (XSS) reflejado. Si el usuario v\u00edctima ha iniciado sesi\u00f3n como administrador, esto podr\u00eda resultar en un compromiso completo del sistema"
}
],
"id": "CVE-2020-5901",
"lastModified": "2024-11-21T05:34:47.633",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T15:15:15.280",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K43520321"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K43520321"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-5899
Vulnerability from fkie_nvd - Published: 2020-07-01 15:15 - Updated: 2024-11-21 05:34
Severity ?
Summary
In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://support.f5.com/csp/article/K25434422 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.f5.com/csp/article/K25434422 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx_controller | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "064A19E8-57A9-4C34-B84C-54F3F0A9DA40",
"versionEndIncluding": "3.4.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user\u0027s password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code."
},
{
"lang": "es",
"value": "En NGINX Controller versiones 3.0.0 hasta 3.4.0, el c\u00f3digo de recuperaci\u00f3n requerido para cambiar la contrase\u00f1a de un usuario es transmitida y almacenada en la base de datos en texto plano, lo que permite a un atacante, que pueda interceptar la conexi\u00f3n de la base de datos o tener acceso de lectura a la base de datos, solicitar restablecer la contrase\u00f1a usando la direcci\u00f3n de correo electr\u00f3nico de otro usuario registrado y entonces recobrar el c\u00f3digo de recuperaci\u00f3n"
}
],
"id": "CVE-2020-5899",
"lastModified": "2024-11-21T05:34:47.437",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T15:15:15.203",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K25434422"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K25434422"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
},
{
"lang": "en",
"value": "CWE-319"
},
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-5900
Vulnerability from fkie_nvd - Published: 2020-07-01 14:15 - Updated: 2024-11-21 05:34
Severity ?
Summary
In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX Controller user interface.
References
| URL | Tags | ||
|---|---|---|---|
| f5sirt@f5.com | https://support.f5.com/csp/article/K31044532 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.f5.com/csp/article/K31044532 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| f5 | nginx_controller | * | |
| f5 | nginx_controller | * | |
| f5 | nginx_controller | 1.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CA86CB0-F33A-4B9C-AAFC-8AC3F0071A31",
"versionEndIncluding": "2.9.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "064A19E8-57A9-4C34-B84C-54F3F0A9DA40",
"versionEndIncluding": "3.4.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:nginx_controller:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D96CC675-BA26-4E41-B8F1-63F643E022D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX Controller user interface."
},
{
"lang": "es",
"value": "En las versiones 3.0.0 hasta 3.4.0, 2.0.0 hasta 2.9.0 y 1.0.1, no se presentan suficientes protecciones de cross-site request forgery (CSRF) para la interfaz de usuario de NGINX Controller"
}
],
"id": "CVE-2020-5900",
"lastModified": "2024-11-21T05:34:47.533",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T14:15:14.513",
"references": [
{
"source": "f5sirt@f5.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K31044532"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.f5.com/csp/article/K31044532"
}
],
"sourceIdentifier": "f5sirt@f5.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-23021 (GCVE-0-2021-23021)
Vulnerability from cvelistv5 – Published: 2021-06-01 12:23 – Updated: 2024-08-03 18:58
VLAI?
Summary
The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nginx Controller |
Affected:
“3.x before 3.7.0”
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.217Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K36926027"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nginx Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u201c3.x before 3.7.0\u201d"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T12:23:35",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K36926027"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2021-23021",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nginx Controller",
"version": {
"version_data": [
{
"version_value": "\u201c3.x before 3.7.0\u201d"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-732"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K36926027",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K36926027"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2021-23021",
"datePublished": "2021-06-01T12:23:35",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-03T18:58:26.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23020 (GCVE-0-2021-23020)
Vulnerability from cvelistv5 – Published: 2021-06-01 12:14 – Updated: 2024-08-03 18:58
VLAI?
Summary
The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nginx Controller |
Affected:
“3.x before 3.10.0”
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K45263486"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nginx Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u201c3.x before 3.10.0\u201d"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T12:14:39",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K45263486"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2021-23020",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nginx Controller",
"version": {
"version_data": [
{
"version_value": "\u201c3.x before 3.10.0\u201d"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-330"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K45263486",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K45263486"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2021-23020",
"datePublished": "2021-06-01T12:14:39",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-03T18:58:26.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23019 (GCVE-0-2021-23019)
Vulnerability from cvelistv5 – Published: 2021-06-01 12:03 – Updated: 2024-08-03 18:58
VLAI?
Summary
The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nginx Controller |
Affected:
“2.0.0 thru 2.9.0” and “3.x before 3.15.0”
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.261Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K04884013"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nginx Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u201c2.0.0 thru 2.9.0\u201d and \u201c3.x before 3.15.0\u201d"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T12:03:42",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K04884013"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2021-23019",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nginx Controller",
"version": {
"version_data": [
{
"version_value": "\u201c2.0.0 thru 2.9.0\u201d and \u201c3.x before 3.15.0\u201d"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-201"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K04884013",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K04884013"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2021-23019",
"datePublished": "2021-06-01T12:03:42",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-03T18:58:26.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23018 (GCVE-0-2021-23018)
Vulnerability from cvelistv5 – Published: 2021-06-01 11:51 – Updated: 2024-08-03 18:58
VLAI?
Summary
Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nginx Controller |
Affected:
"3.x before 3.4.0"
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K97002210"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nginx Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\"3.x before 3.4.0\""
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T11:51:20",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K97002210"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2021-23018",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nginx Controller",
"version": {
"version_data": [
{
"version_value": "\"3.x before 3.4.0\""
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-319"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K97002210",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K97002210"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2021-23018",
"datePublished": "2021-06-01T11:51:20",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-03T18:58:26.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27730 (GCVE-0-2020-27730)
Vulnerability from cvelistv5 – Published: 2020-12-11 19:03 – Updated: 2024-08-04 16:18
VLAI?
Summary
In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities.
Severity ?
No CVSS data available.
CWE
- privilege escalation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | NGINX Controller |
Affected:
3.0.0-3.9.0, 2.0.0-2.9.0, 1.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:45.601Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K43530108"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210115-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NGINX Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "privilege escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-15T10:06:16",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.f5.com/csp/article/K43530108"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210115-0004/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2020-27730",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NGINX Controller",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "privilege escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K43530108",
"refsource": "CONFIRM",
"url": "https://support.f5.com/csp/article/K43530108"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210115-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210115-0004/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2020-27730",
"datePublished": "2020-12-11T19:03:21",
"dateReserved": "2020-10-26T00:00:00",
"dateUpdated": "2024-08-04T16:18:45.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5909 (GCVE-0-2020-5909)
Vulnerability from cvelistv5 – Published: 2020-07-02 12:26 – Updated: 2024-08-04 08:47
VLAI?
Summary
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
Severity ?
No CVSS data available.
CWE
- MITM
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | NGINX Controller |
Affected:
3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:47:40.733Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K31150658"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NGINX Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "MITM",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-02T12:26:39",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K31150658"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2020-5909",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NGINX Controller",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "MITM"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K31150658",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K31150658"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2020-5909",
"datePublished": "2020-07-02T12:26:39",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:47:40.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5910 (GCVE-0-2020-5910)
Vulnerability from cvelistv5 – Published: 2020-07-02 12:25 – Updated: 2024-08-04 08:47
VLAI?
Summary
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
Severity ?
No CVSS data available.
CWE
- data leakage
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | NGINX Controller |
Affected:
3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:47:40.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K59209532"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NGINX Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "data leakage",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-02T12:25:11",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K59209532"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2020-5910",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NGINX Controller",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "data leakage"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K59209532",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K59209532"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2020-5910",
"datePublished": "2020-07-02T12:25:11",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:47:40.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5911 (GCVE-0-2020-5911)
Vulnerability from cvelistv5 – Published: 2020-07-02 12:23 – Updated: 2024-08-04 08:47
VLAI?
Summary
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.
Severity ?
No CVSS data available.
CWE
- MITM
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | NGINX Controller |
Affected:
3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:47:40.918Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K84084843"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NGINX Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "MITM",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-02T12:23:40",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K84084843"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2020-5911",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NGINX Controller",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "MITM"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K84084843",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K84084843"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2020-5911",
"datePublished": "2020-07-02T12:23:40",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:47:40.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5901 (GCVE-0-2020-5901)
Vulnerability from cvelistv5 – Published: 2020-07-01 14:03 – Updated: 2024-08-04 08:47
VLAI?
Summary
In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system.
Severity ?
No CVSS data available.
CWE
- XSS
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | NGINX Controller |
Affected:
3.3.0-3.4.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:47:41.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K43520321"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NGINX Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.3.0-3.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T14:03:33",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K43520321"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2020-5901",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NGINX Controller",
"version": {
"version_data": [
{
"version_value": "3.3.0-3.4.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K43520321",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K43520321"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2020-5901",
"datePublished": "2020-07-01T14:03:33",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:47:41.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5899 (GCVE-0-2020-5899)
Vulnerability from cvelistv5 – Published: 2020-07-01 14:01 – Updated: 2024-08-04 08:47
VLAI?
Summary
In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code.
Severity ?
No CVSS data available.
CWE
- account hijacking
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | NGINX Controller |
Affected:
3.0.0-3.4.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:47:40.906Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K25434422"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NGINX Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user\u0027s password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "account hijacking",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T14:01:58",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K25434422"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2020-5899",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NGINX Controller",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.4.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user\u0027s password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "account hijacking"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K25434422",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K25434422"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2020-5899",
"datePublished": "2020-07-01T14:01:58",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:47:40.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23021 (GCVE-0-2021-23021)
Vulnerability from nvd – Published: 2021-06-01 12:23 – Updated: 2024-08-03 18:58
VLAI?
Summary
The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nginx Controller |
Affected:
“3.x before 3.7.0”
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.217Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K36926027"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nginx Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u201c3.x before 3.7.0\u201d"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T12:23:35",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K36926027"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2021-23021",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nginx Controller",
"version": {
"version_data": [
{
"version_value": "\u201c3.x before 3.7.0\u201d"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-732"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K36926027",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K36926027"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2021-23021",
"datePublished": "2021-06-01T12:23:35",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-03T18:58:26.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23020 (GCVE-0-2021-23020)
Vulnerability from nvd – Published: 2021-06-01 12:14 – Updated: 2024-08-03 18:58
VLAI?
Summary
The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nginx Controller |
Affected:
“3.x before 3.10.0”
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K45263486"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nginx Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u201c3.x before 3.10.0\u201d"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T12:14:39",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K45263486"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2021-23020",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nginx Controller",
"version": {
"version_data": [
{
"version_value": "\u201c3.x before 3.10.0\u201d"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-330"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K45263486",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K45263486"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2021-23020",
"datePublished": "2021-06-01T12:14:39",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-03T18:58:26.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23019 (GCVE-0-2021-23019)
Vulnerability from nvd – Published: 2021-06-01 12:03 – Updated: 2024-08-03 18:58
VLAI?
Summary
The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nginx Controller |
Affected:
“2.0.0 thru 2.9.0” and “3.x before 3.15.0”
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.261Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K04884013"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nginx Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u201c2.0.0 thru 2.9.0\u201d and \u201c3.x before 3.15.0\u201d"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T12:03:42",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K04884013"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2021-23019",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nginx Controller",
"version": {
"version_data": [
{
"version_value": "\u201c2.0.0 thru 2.9.0\u201d and \u201c3.x before 3.15.0\u201d"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-201"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K04884013",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K04884013"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2021-23019",
"datePublished": "2021-06-01T12:03:42",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-03T18:58:26.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23018 (GCVE-0-2021-23018)
Vulnerability from nvd – Published: 2021-06-01 11:51 – Updated: 2024-08-03 18:58
VLAI?
Summary
Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nginx Controller |
Affected:
"3.x before 3.4.0"
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K97002210"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nginx Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\"3.x before 3.4.0\""
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T11:51:20",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K97002210"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2021-23018",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nginx Controller",
"version": {
"version_data": [
{
"version_value": "\"3.x before 3.4.0\""
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-319"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K97002210",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K97002210"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2021-23018",
"datePublished": "2021-06-01T11:51:20",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-03T18:58:26.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27730 (GCVE-0-2020-27730)
Vulnerability from nvd – Published: 2020-12-11 19:03 – Updated: 2024-08-04 16:18
VLAI?
Summary
In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities.
Severity ?
No CVSS data available.
CWE
- privilege escalation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | NGINX Controller |
Affected:
3.0.0-3.9.0, 2.0.0-2.9.0, 1.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:45.601Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K43530108"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210115-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NGINX Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.9.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "privilege escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-15T10:06:16",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.f5.com/csp/article/K43530108"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210115-0004/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2020-27730",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NGINX Controller",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.9.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "privilege escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K43530108",
"refsource": "CONFIRM",
"url": "https://support.f5.com/csp/article/K43530108"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210115-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210115-0004/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2020-27730",
"datePublished": "2020-12-11T19:03:21",
"dateReserved": "2020-10-26T00:00:00",
"dateUpdated": "2024-08-04T16:18:45.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5909 (GCVE-0-2020-5909)
Vulnerability from nvd – Published: 2020-07-02 12:26 – Updated: 2024-08-04 08:47
VLAI?
Summary
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
Severity ?
No CVSS data available.
CWE
- MITM
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | NGINX Controller |
Affected:
3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:47:40.733Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K31150658"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NGINX Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "MITM",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-02T12:26:39",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K31150658"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2020-5909",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NGINX Controller",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "MITM"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K31150658",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K31150658"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2020-5909",
"datePublished": "2020-07-02T12:26:39",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:47:40.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5910 (GCVE-0-2020-5910)
Vulnerability from nvd – Published: 2020-07-02 12:25 – Updated: 2024-08-04 08:47
VLAI?
Summary
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
Severity ?
No CVSS data available.
CWE
- data leakage
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | NGINX Controller |
Affected:
3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:47:40.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K59209532"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NGINX Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "data leakage",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-02T12:25:11",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K59209532"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2020-5910",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NGINX Controller",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "data leakage"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K59209532",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K59209532"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2020-5910",
"datePublished": "2020-07-02T12:25:11",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:47:40.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5911 (GCVE-0-2020-5911)
Vulnerability from nvd – Published: 2020-07-02 12:23 – Updated: 2024-08-04 08:47
VLAI?
Summary
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.
Severity ?
No CVSS data available.
CWE
- MITM
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | NGINX Controller |
Affected:
3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:47:40.918Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K84084843"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NGINX Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "MITM",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-02T12:23:40",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K84084843"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2020-5911",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NGINX Controller",
"version": {
"version_data": [
{
"version_value": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "MITM"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K84084843",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K84084843"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2020-5911",
"datePublished": "2020-07-02T12:23:40",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:47:40.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5901 (GCVE-0-2020-5901)
Vulnerability from nvd – Published: 2020-07-01 14:03 – Updated: 2024-08-04 08:47
VLAI?
Summary
In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system.
Severity ?
No CVSS data available.
CWE
- XSS
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | NGINX Controller |
Affected:
3.3.0-3.4.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:47:41.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K43520321"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NGINX Controller",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.3.0-3.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T14:03:33",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.f5.com/csp/article/K43520321"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "f5sirt@f5.com",
"ID": "CVE-2020-5901",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NGINX Controller",
"version": {
"version_data": [
{
"version_value": "3.3.0-3.4.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.f5.com/csp/article/K43520321",
"refsource": "MISC",
"url": "https://support.f5.com/csp/article/K43520321"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2020-5901",
"datePublished": "2020-07-01T14:03:33",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:47:41.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}