Improper Certificate Validation in NGINX Controller - CVE-2020-5909
Published: July 2, 2020 / Updated: December 17, 2020
Vulnerability identifier: #VU34177
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-5909
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
NGINX Controller
NGINX Controller
Software vendor:
F5 Networks
F5 Networks
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
Remediation
Install update from vendor's website.