Skip to main content

Nginx Controller

18 CVEs product

Monthly

CVE-2021-23021 MEDIUM This Month

The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-23020 MEDIUM This Month

The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Controller
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2021-23019 HIGH This Week

The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-23018 HIGH This Week

Intra-cluster communication does not use TLS. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
CVSS 3.1
7.4
EPSS
0.5%
CVE-2020-27730 CRITICAL Act Now

In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Path Traversal Nginx Controller Cloud Backup
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2020-5911 HIGH This Week

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubuntu Nginx Debian Kubernetes Information Disclosure +1
NVD
CVSS 3.1
7.3
EPSS
1.0%
CVE-2020-5910 HIGH This Week

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Nginx Nginx Controller
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-5909 MEDIUM This Month

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2020-5901 CRITICAL Act Now

In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Nginx Nginx Controller
NVD
CVSS 3.1
9.6
EPSS
1.5%
CVE-2020-5899 HIGH This Week

In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2020-5900 HIGH This Week

In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX Controller user interface. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Nginx Nginx Controller
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2020-5895 HIGH This Week

On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-5894 HIGH This Week

On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Nginx Nginx Controller
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2020-5867 HIGH This Week

In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Nginx Nginx Controller Cloud Backup
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2020-5866 MEDIUM This Month

In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-5865 MEDIUM This Month

In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Nginx Nginx Controller Cloud Backup
NVD
CVSS 3.1
4.8
EPSS
0.4%
CVE-2020-5864 HIGH This Week

In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
CVSS 3.1
7.4
EPSS
1.0%
CVE-2020-5863 HIGH This Week

In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller Cloud Backup
NVD
CVSS 3.1
8.6
EPSS
1.1%
EPSS 0% CVSS 5.5
MEDIUM This Month

The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Controller
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
EPSS 1% CVSS 7.4
HIGH This Week

Intra-cluster communication does not use TLS. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Path Traversal Nginx Controller +1
NVD
EPSS 1% CVSS 7.3
HIGH This Week

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubuntu Nginx Debian +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Nginx Nginx Controller
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
EPSS 1% CVSS 9.6
CRITICAL Act Now

In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Nginx Nginx Controller
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
EPSS 0% CVSS 8.8
HIGH This Week

In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX Controller user interface. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Nginx Nginx Controller
NVD
EPSS 0% CVSS 7.8
HIGH This Week

On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
EPSS 1% CVSS 8.1
HIGH This Week

On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Nginx +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Nginx Nginx Controller +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Controller
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Nginx +2
NVD
EPSS 1% CVSS 7.4
HIGH This Week

In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Nginx Nginx Controller
NVD
EPSS 1% CVSS 8.6
HIGH This Week

In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Controller +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy