CVE-2023-28656

CWE-639 — Insecure Direct Object Reference4 documents4 sources

Severity

8.1HIGH

EPSS

0.3%

top 49.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx API Connectivity Manager F5 Nginx Instance Manager F5 Nginx Security Monitoring

Timeline

PublishedMay 3

Latest updateJul 6

Description

NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages6 packages

▶CVEListV5f5/nginx_instance_manager2.0.0 — 2.9.0

▶NVDf5/nginx_instance_manager2.0.0 — 2.9.0

▶CVEListV5f5/nginx_security_monitoring1.0.0 — 1.3.0

▶NVDf5/nginx_security_monitoring1.0.0 — 1.3.0

▶CVEListV5f5/nginx_api_connectivity_manager1.0.0 — 1.5.0

🔴Vulnerability Details

GHSA

GHSA-gjg3-3x79-mxh4: NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment↗2023-07-06

▶

CVEList

NGINX Management Suite vulnerability↗2023-05-03

▶

📋Vendor Advisories

CVE-2023-28656: NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their a...↗2023-05-03

▶