Vulnerabilities > F5 > Nginx Controller
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-01 | CVE-2021-23019 | Insufficiently Protected Credentials vulnerability in F5 Nginx Controller The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package. | 7.8 |
| 2021-06-01 | CVE-2021-23020 | Use of Insufficiently Random Values vulnerability in F5 Nginx Controller The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys. | 5.5 |
| 2021-06-01 | CVE-2021-23021 | Incorrect Permission Assignment for Critical Resource vulnerability in F5 Nginx Controller The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644. | 5.5 |
| 2021-06-01 | CVE-2021-23018 | Cleartext Transmission of Sensitive Information vulnerability in F5 Nginx Controller Intra-cluster communication does not use TLS. | 7.4 |
| 2020-12-11 | CVE-2020-27730 | Path Traversal vulnerability in multiple products In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities. | 9.8 |
| 2020-07-02 | CVE-2020-5911 | Unspecified vulnerability in F5 Nginx Controller In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system. | 7.3 |
| 2020-07-02 | CVE-2020-5910 | Missing Authentication for Critical Function vulnerability in F5 Nginx Controller In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized. | 7.5 |
| 2020-07-02 | CVE-2020-5909 | Improper Certificate Validation vulnerability in F5 Nginx Controller In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified. | 5.4 |
| 2020-07-01 | CVE-2020-5901 | Cross-site Scripting vulnerability in F5 Nginx Controller 3.3.0/3.4.0 In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. | 9.6 |
| 2020-07-01 | CVE-2020-5899 | Insufficiently Protected Credentials vulnerability in F5 Nginx Controller In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code. | 7.8 |