CVE-2024-10318 – NGINX OpenID Connect Vulnerability
https://notcve.org/view.php?id=CVE-2024-10318
A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session. • https://my.f5.com/manage/s/article/K000148232 • CWE-384: Session Fixation •
CVE-2022-30535 – NGINX Ingress Controller vulnerability CVE-2022-30535
https://notcve.org/view.php?id=CVE-2022-30535
In versions 2.x before 2.3.0 and all versions of 1.x, An attacker authorized to create or update ingress objects can obtain the secrets available to the NGINX Ingress Controller. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En versiones 2.x anteriores a 2.3.0 y en todas las versiones de 1.x, un atacante autorizado a crear o actualizar objetos de entrada puede obtener los secretos disponibles para el controlador de entrada NGINX. Nota: Las versiones de software que han alcanzado el Fin del Soporte Técnico (EoTS) no son evaluadas • https://support.f5.com/csp/article/K52125139 • CWE-20: Improper Input Validation •
CVE-2021-23055
https://notcve.org/view.php?id=CVE-2021-23055
On version 2.x before 2.0.3 and 1.x before 1.12.3, the command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En versiones 2.x anteriores a 2.0.3 y en la versiones 1.x anteriores a 1.12.3, la restricción de la línea de comandos que controla el uso de fragmentos con NGINX Ingress Controller no es aplicada a los objetos Ingress. Nota: No son evaluadas las versiones de software que han alcanzado el Fin del Soporte Técnico (EoTS) • https://support.f5.com/csp/article/K01051452 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2018-1002104
https://notcve.org/view.php?id=CVE-2018-1002104
Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly. Las versiones anteriores a 1.5 del back-end predeterminado de ingreso de Kubernetes, que maneja el tráfico de ingreso no válido, expuso públicamente las métricas de prometeus. • https://github.com/kubernetes/ingress-nginx/pull/3125 • CWE-20: Improper Input Validation CWE-215: Insertion of Sensitive Information Into Debugging Code •