CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5894
https://notcve.org/view.php?id=CVE-2020-5894
On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out. En las versiones 3.0.0 hasta 3.3.0, el servidor web de NGINX Controller no invalida el token de sesión del lado del servidor después de que los usuarios cierran sesión. • https://support.f5.com/csp/article/K13028514 • CWE-384: Session Fixation •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-5867
https://notcve.org/view.php?id=CVE-2020-5867
In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages En versiones anteriores a la versión 3.3.0, el instalador de NGINX Controller Agent "install.sh" usa HTTP en lugar de HTTPS para comprobar e instalar paquetes. • https://security.netapp.com/advisory/ntap-20200430-0005 https://support.f5.com/csp/article/K00958787 • CWE-319: Cleartext Transmission of Sensitive Information CWE-494: Download of Code Without Integrity Check •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-5866
https://notcve.org/view.php?id=CVE-2020-5866
In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses sensitive items as command-line arguments. En las versiones de NGINX Controller anteriores a la versión 3.3.0, el script helper.sh, que es usado opcionalmente en NGINX Controller para cambiar la configuración, usa elementos confidenciales como argumentos de línea de comandos. • https://security.netapp.com/advisory/ntap-20200430-0005 https://support.f5.com/csp/article/K11922628 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.4EPSS: 0%CPEs: 3EXPL: 0CVE-2020-5864
https://notcve.org/view.php?id=CVE-2020-5864
In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default. En las versiones de NGINX Controller anteriores a 3.2.0, una comunicación entre NGINX Controller y las instancias NGINX Plus omite una verificación de TLS por defecto. • https://security.netapp.com/advisory/ntap-20200430-0005 https://support.f5.com/csp/article/K27205552 • CWE-295: Improper Certificate Validation •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-5865
https://notcve.org/view.php?id=CVE-2020-5865
In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via man-in-the-middle (MiTM) attacks. En versiones anteriores a la versión 3.3.0, el NGINX Controller está configurado para comunicarse con su servidor de base de datos Postgres sobre canales no cifrados, haciendo que los datos comunicados sean vulnerables a una intercepción por medio de ataques de tipo man-in-the-middle (MiTM). • https://security.netapp.com/advisory/ntap-20200430-0005 https://support.f5.com/csp/article/K21009022 • CWE-319: Cleartext Transmission of Sensitive Information •