Improper Authentication in NGINX Controller - CVE-2020-5910
Published: July 2, 2020 / Updated: December 17, 2020
Vulnerability identifier: #VU34178
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-5910
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
NGINX Controller
NGINX Controller
Software vendor:
F5 Networks
F5 Networks
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
Remediation
Install update from vendor's website.