Improper Authentication in NGINX Controller - CVE-2020-5910

 

Improper Authentication in NGINX Controller - CVE-2020-5910

Published: July 2, 2020 / Updated: December 17, 2020


Vulnerability identifier: #VU34178
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-5910
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: F5 Networks
Affected software:
NGINX Controller

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.


How to mitigate CVE-2020-5910

Install update from vendor's website.

Sources