RSS   Podatności dla 'Nginx controller'   RSS

2020-12-11
 
CVE-2020-27730

CWE-22
 

 
In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities.

 
2020-07-02
 
CVE-2020-5911

NVD-CWE-noinfo
 

 
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.

 
 
CVE-2020-5909

CWE-295
 

 
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.

 
2020-07-01
 
CVE-2020-5900

CWE-352
 

 
In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX Controller user interface.

 
2020-05-07
 
CVE-2020-5895

NVD-CWE-noinfo
 

 
On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. A local system attacker can make AVRD segmentation fault (SIGSEGV) by writing malformed messages to the socket.

 
 
CVE-2020-5894

CWE-384
 

 
On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out.

 
2020-04-23
 
CVE-2020-5867

CWE-20
 

 
In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages

 
 
CVE-2020-5866

CWE-200
 

 
In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments.

 
 
CVE-2020-5865

CWE-200
 

 
In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via man-in-the-middle (MiTM) attacks.

 
 
CVE-2020-5864

CWE-295
 

 
In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default.

 


Copyright 2021, cxsecurity.com

 

Back to Top