CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10318 – NGINX OpenID Connect Vulnerability
https://notcve.org/view.php?id=CVE-2024-10318
06 Nov 2024 — A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session. • https://my.f5.com/manage/s/article/K000148232 • CWE-384: Session Fixation •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30535 – NGINX Ingress Controller vulnerability CVE-2022-30535
https://notcve.org/view.php?id=CVE-2022-30535
04 Aug 2022 — In versions 2.x before 2.3.0 and all versions of 1.x, An attacker authorized to create or update ingress objects can obtain the secrets available to the NGINX Ingress Controller. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En versiones 2.x anteriores a 2.3.0 y en todas las versiones de 1.x, un atacante autorizado a crear o actualizar objetos de entrada puede obtener los secretos disponibles para el controlador de entrada NGINX. Nota: Las versiones de softwar... • https://support.f5.com/csp/article/K52125139 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-23055
https://notcve.org/view.php?id=CVE-2021-23055
21 Apr 2022 — On version 2.x before 2.0.3 and 1.x before 1.12.3, the command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En versiones 2.x anteriores a 2.0.3 y en la versiones 1.x anteriores a 1.12.3, la restricción de la línea de comandos que controla el uso de fragmentos con NGINX Ingress Controller no es aplicada a los objetos Ingress. Nota: No son evaluadas las v... • https://support.f5.com/csp/article/K01051452 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1002104
https://notcve.org/view.php?id=CVE-2018-1002104
14 Jan 2020 — Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly. Las versiones anteriores a 1.5 del back-end predeterminado de ingreso de Kubernetes, que maneja el tráfico de ingreso no válido, expuso públicamente las métricas de prometeus. • https://github.com/kubernetes/ingress-nginx/pull/3125 • CWE-20: Improper Input Validation CWE-215: Insertion of Sensitive Information Into Debugging Code •