Page 3 of 26 results (0.008 seconds)

CVSS: 7.4EPSS: 0%CPEs: 3EXPL: 0

In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default. En las versiones de NGINX Controller anteriores a 3.2.0, una comunicación entre NGINX Controller y las instancias NGINX Plus omite una verificación de TLS por defecto. • https://security.netapp.com/advisory/ntap-20200430-0005 https://support.f5.com/csp/article/K27205552 • CWE-295: Improper Certificate Validation •

CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0

In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via man-in-the-middle (MiTM) attacks. En versiones anteriores a la versión 3.3.0, el NGINX Controller está configurado para comunicarse con su servidor de base de datos Postgres sobre canales no cifrados, haciendo que los datos comunicados sean vulnerables a una intercepción por medio de ataques de tipo man-in-the-middle (MiTM). • https://security.netapp.com/advisory/ntap-20200430-0005 https://support.f5.com/csp/article/K21009022 • CWE-319: Cleartext Transmission of Sensitive Information •

CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0

In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other components of the system. En NGINX Controller versiones anteriores a 3.2.0, un atacante no autenticado con acceso de red a la API Controller puede crear cuentas de usuario no privilegiados. El usuario que es creado solo es capaz de cargar una nueva licencia en el sistema, pero no puede visualizar o modificar ningún otro componente del sistema. • https://security.netapp.com/advisory/ntap-20200430-0005 https://support.f5.com/csp/article/K14631834 •

CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 3

NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. NGINX versiones anteriores a 1.17.7, con ciertas configuraciones de error_page, permite el trafico no autorizado de peticiones HTTP, como es demostrado por la capacidad de un atacante para leer páginas web no autorizadas en entornos donde NGINX está al frente de un equilibrador de carga. • https://github.com/0xleft/CVE-2019-20372 https://github.com/vuongnv3389-sec/CVE-2019-20372 http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00013.html http://nginx.org/en/CHANGES http://seclists.org/fulldisclosure/2021/Sep/36 https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf https://duo.com/docs/dng-notes#version-1.5.4-january-2020 https://github.com/kubernetes/ingress-nginx/pull/4859 https://github.com/nginx/nginx/commit&# • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 5.8EPSS: 0%CPEs: 11EXPL: 0

nginx http proxy module does not verify peer identity of https origin server which could facilitate man-in-the-middle attack (MITM) El módulo nginx http proxy no comprueba la identidad de peer del servidor de origen https, lo que podría facilitar un ataque de tipo man-in-the-middle (MITM) • http://www.openwall.com/lists/oss-security/2013/01/03/8 http://www.securityfocus.com/bid/57139 https://access.redhat.com/security/cve/cve-2011-4968 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4968 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2011-4968 https://exchange.xforce.ibmcloud.com/vulnerabilities/80952 https://security-tracker.debian.org/tracker/CVE-2011-4968 • CWE-20: Improper Input Validation •