CVE-2023-28724

CWE-276 — Incorrect Default Permissions4 documents4 sources

Severity

7.1HIGH

EPSS

0.1%

top 74.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx API Connectivity Manager F5 Nginx Instance Manager F5 Nginx Security Monitoring

Timeline

PublishedMay 3

Latest updateJul 6

Description

NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2

Affected Packages6 packages

▶CVEListV5f5/nginx_instance_manager2.0.0 — 2.9.0+1

▶NVDf5/nginx_instance_manager2.0.0 — 2.9.0

▶CVEListV5f5/nginx_api_connectivity_manager1.0.0 — 1.5.0

▶NVDf5/nginx_api_connectivity_manager1.0.0 — 1.5.0

▶CVEListV5f5/nginx_security_monitoring1.0.0 — 1.3.0

🔴Vulnerability Details

GHSA

GHSA-9mcp-v29j-j4hp: NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Ma↗2023-07-06

▶

CVEList

NGINX Management Suite vulnerability↗2023-05-03

▶

📋Vendor Advisories

CVE-2023-28724: NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sen...↗2023-05-03

▶