VYPR

Controller

by Nginx

CVEs (8)

  • CVE-2020-5901CriJul 1, 2020
    risk 0.63cvss 9.6epss 0.01

    In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system.

  • CVE-2020-5863HigMar 27, 2020
    risk 0.56cvss 8.6epss 0.01

    In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other components…

  • CVE-2020-5894HigMay 7, 2020
    risk 0.53cvss 8.1epss 0.01

    On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out.

  • CVE-2020-5899HigJul 1, 2020
    risk 0.51cvss 7.8epss 0.00

    In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using…

  • CVE-2020-5895HigMay 7, 2020
    risk 0.51cvss 7.8epss 0.00

    On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or users on the local system to write arbitrary data into the socket. A local system attacker can make AVRD segmentation fault (SIGSEGV) by…

  • CVE-2020-5910HigJul 2, 2020
    risk 0.49cvss 7.5epss 0.01

    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.

  • CVE-2020-5911HigJul 2, 2020
    risk 0.48cvss 7.3epss 0.01

    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.

  • CVE-2020-5866MedApr 23, 2020
    risk 0.36cvss 5.5epss 0.00

    In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments.