CVE-2020-5909

CWE-295 — Improper Certificate Validation4 documents4 sources

Severity

5.4MEDIUM

EPSS

0.1%

top 69.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx Controller

Timeline

PublishedJul 2

Latest updateMay 24

Description

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶NVDf5/nginx_controller2.0.0 — 2.9.0+2

▶CVEListV5nginx_controller3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1

🔴Vulnerability Details

GHSA

GHSA-989x-v562-xr5m: In versions 3↗2022-05-24

▶

CVEList

CVE-2020-5909: In versions 3↗2020-07-02

▶

📋Vendor Advisories

CVE-2020-5909: In versions 3↗2020-07-02

▶