CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30535 – NGINX Ingress Controller vulnerability CVE-2022-30535
https://notcve.org/view.php?id=CVE-2022-30535
In versions 2.x before 2.3.0 and all versions of 1.x, An attacker authorized to create or update ingress objects can obtain the secrets available to the NGINX Ingress Controller. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En versiones 2.x anteriores a 2.3.0 y en todas las versiones de 1.x, un atacante autorizado a crear o actualizar objetos de entrada puede obtener los secretos disponibles para el controlador de entrada NGINX. Nota: Las versiones de software que han alcanzado el Fin del Soporte Técnico (EoTS) no son evaluadas • https://support.f5.com/csp/article/K52125139 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-23055
https://notcve.org/view.php?id=CVE-2021-23055
On version 2.x before 2.0.3 and 1.x before 1.12.3, the command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En versiones 2.x anteriores a 2.0.3 y en la versiones 1.x anteriores a 1.12.3, la restricción de la línea de comandos que controla el uso de fragmentos con NGINX Ingress Controller no es aplicada a los objetos Ingress. Nota: No son evaluadas las versiones de software que han alcanzado el Fin del Soporte Técnico (EoTS) • https://support.f5.com/csp/article/K01051452 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23008
https://notcve.org/view.php?id=CVE-2022-23008
On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En NGINX Controller API Management versiones 3.18.0-3.19.0, un atacante autenticado con acceso al rol "user" o "admin" puede usar endpoints de API no revelados en NGINX Controller API Management para inyectar código JavaScript que es ejecutado en instancias de plano de datos NGINX administradas. Nota: Las versiones de software que han alcanzado el Fin de Soporte Técnico (EoTS) no son evaluadas • https://support.f5.com/csp/article/K57735782 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23021
https://notcve.org/view.php?id=CVE-2021-23021
The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644. El archivo de configuración /etc/controller-agent/agent.conf del agente de Nginx Controller 3.x versiones anteriores a la 3.7.0 es world readable con los bits de permiso actuales establecidos en 644 • https://support.f5.com/csp/article/K36926027 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23020
https://notcve.org/view.php?id=CVE-2021-23020
The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys. Las claves de la API de NAAS 3.x anteriores a la 3.10.0 se generaron usando una cadena pseudoaleatoria no segura y un algoritmo hash que podría conllevar a claves predecibles • https://support.f5.com/csp/article/K45263486 • CWE-330: Use of Insufficiently Random Values •