5 results (0.001 seconds)

CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session. • https://my.f5.com/manage/s/article/K000148232 • CWE-384: Session Fixation •

CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0

NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000133233 https://security.netapp.com/advisory/ntap-20230609-0006 • CWE-276: Incorrect Default Permissions •

CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0

NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000133417 https://security.netapp.com/advisory/ntap-20230609-0006 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0

Insertion of Sensitive Information into log file vulnerability in NGINX Agent. NGINX Agent version 2.0 before 2.23.3 inserts sensitive information into a log file. An authenticated attacker with local access to read agent log files may gain access to private keys. This issue is only exposed when the non-default trace level logging is enabled. Note: NGINX Agent is included with NGINX Instance Manager and used in conjunction with NGINX API Connectivity Manager, and NGINX Management Suite Security Monitoring. • https://my.f5.com/manage/s/article/K000133135 https://security.netapp.com/advisory/ntap-20230511-0008 • CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En las versiones 2.x anteriores a la 2.3.1 y en todas las versiones de 1.x, cuando es usado NGINX Instance Manager, las peticiones no reveladas pueden causar un aumento en el uso de los recursos del disco. Nota: Las versiones de software que han alcanzado el fin del soporte técnico (EoTS) no son evaluadas • https://support.f5.com/csp/article/K37080719 • CWE-400: Uncontrolled Resource Consumption •