CPE Details
F5 NGINX Controller 3.2.0
3.2.0
2020-03-30
11h48 +00:00
11h48 +00:00
2020-03-30
11h48 +00:00
11h48 +00:00
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
CPE Name: cpe:2.3:a:f5:nginx_controller:3.2.0:*:*:*:*:*:*:*
Informations
Vendor
f5Product
nginx_controllerVersion
3.2.0Related CVE
| CVE ID | Publié | Description | Score | Gravité |
|---|---|---|---|---|
| The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644. | 5.5 |
Moyen |
||
| The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys. | 5.5 |
Moyen |
||
| The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package. | 7.8 |
Haute |
||
| Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster. | 7.4 |
Haute |
||
| In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities. | 9.8 |
Critique |
||
| In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified. | 5.4 |
Moyen |
||
| In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized. | 7.5 |
Haute |
||
| In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system. | 7.3 |
Haute |
||
| In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code. | 7.8 |
Haute |
||
| In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX Controller user interface. | 8.8 |
Haute |
||
| On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. A local system attacker can make AVRD segmentation fault (SIGSEGV) by writing malformed messages to the socket. | 7.8 |
Haute |
||
| On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out. | 8.1 |
Haute |
||
| In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages | 8.1 |
Haute |
||
| In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments. | 5.5 |
Moyen |
||
| In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default. | 7.4 |
Haute |
||
| In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via man-in-the-middle (MiTM) attacks. | 4.8 |
Moyen |
2025©
tesweb SA
