CVE-2020-5910Missing Authentication for Critical Function in F5 Nginx Controller

CWE-306Missing Authentication for Critical FunctionCWE-287Improper Authentication4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 42.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
F5 Nginx Controller
Timeline
PublishedJul 2
Latest updateMay 24

Description

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDf5/nginx_controller2.0.02.9.0+2
CVEListV5f5/nginx_controller3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1

🔴Vulnerability Details

2
GHSA
GHSA-3h32-r78h-g4px: In versions 32022-05-24
CVEList
CVE-2020-5910: In versions 32020-07-02

📋Vendor Advisories

1
F5
CVE-2020-5910: In versions 32020-07-02
CVE-2020-5910 — F5 Nginx Controller vulnerability | cvebase