Sign-up

ID

VAR-202003-1559


CVE

CVE-2020-5863


TITLE

NGINX Controller Unauthorized authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003530

DESCRIPTION

In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other components of the system. NGINX Controller Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. NGINX is a lightweight web server/reverse proxy server and e-mail (IMAP/POP3) proxy server of the American NGINX company. The vulnerability stems from the fact that the Controller API does not perform correct access control

Trust: 1.71

sources: NVD: CVE-2020-5863 // JVNDB: JVNDB-2020-003530 // VULHUB: VHN-183988

AFFECTED PRODUCTS

vendor:f5model:nginx controllerscope:lteversion:2.9.0

Trust: 1.0

vendor:f5model:nginx controllerscope:gteversion:3.0.0

Trust: 1.0

vendor:netappmodel:cloud backupscope:eqversion: -

Trust: 1.0

vendor:f5model:nginx controllerscope:eqversion:1.0.1

Trust: 1.0

vendor:f5model:nginx controllerscope:gteversion:2.0.0

Trust: 1.0

vendor:f5model:nginx controllerscope:ltversion:3.2.0

Trust: 1.0

vendor:f5model:nginx controllerscope:eqversion:3.2.0

Trust: 0.8

sources: JVNDB: JVNDB-2020-003530 // NVD: CVE-2020-5863

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-5863
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-003530
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202003-1280
value: HIGH

Trust: 0.6

VULHUB: VHN-183988
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-5863
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-003530
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-183988
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-5863
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 4.7
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-003530
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-183988 // JVNDB: JVNDB-2020-003530 // CNNVD: CNNVD-202003-1280 // NVD: CVE-2020-5863

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-863

Trust: 0.9

sources: VULHUB: VHN-183988 // JVNDB: JVNDB-2020-003530 // NVD: CVE-2020-5863

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1280

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202003-1280

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-003530

PATCH
title:K14631834url:https://support.f5.com/csp/article/K14631834
Trust: 0.8
title:NGINX Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112749
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-003530 // 
            
            
            
            CNNVD: CNNVD-202003-1280

EXTERNAL IDS
db:NVDid:CVE-2020-5863
Trust: 2.5
db:JVNDBid:JVNDB-2020-003530
Trust: 0.8
db:CNNVDid:CNNVD-202003-1280
Trust: 0.7
db:AUSCERTid:ESB-2020.1011
Trust: 0.6
db:VULHUBid:VHN-183988
Trust: 0.1
sources:
            
            
            VULHUB: VHN-183988 // 
            
            
            
            JVNDB: JVNDB-2020-003530 // 
            
            
            
            CNNVD: CNNVD-202003-1280 // 
            
            
            
            NVD: CVE-2020-5863

REFERENCES
url:https://security.netapp.com/advisory/ntap-20200430-0005/
Trust: 1.7
url:https://support.f5.com/csp/article/k14631834
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2020-5863
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5863
Trust: 0.8
url:https://www.ibm.com/blogs/psirt/security-bulletin-nginx-vulnerability-cve-2020-5863-impacts-ibm-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-versions-prior-to-v4-0/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1011/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-183988 // 
            
            
            
            JVNDB: JVNDB-2020-003530 // 
            
            
            
            CNNVD: CNNVD-202003-1280 // 
            
            
            
            NVD: CVE-2020-5863

SOURCES
db:VULHUBid:VHN-183988
db:JVNDBid:JVNDB-2020-003530
db:CNNVDid:CNNVD-202003-1280
db:NVDid:CVE-2020-5863

LAST UPDATE DATE
2024-11-23T21:36:01.761000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-183988date:2022-04-22T00:00:00
db:JVNDBid:JVNDB-2020-003530date:2020-04-17T00:00:00
db:CNNVDid:CNNVD-202003-1280date:2022-04-24T00:00:00
db:NVDid:CVE-2020-5863date:2024-11-21T05:34:43.503

SOURCES RELEASE DATE
db:VULHUBid:VHN-183988date:2020-03-27T00:00:00
db:JVNDBid:JVNDB-2020-003530date:2020-04-17T00:00:00
db:CNNVDid:CNNVD-202003-1280date:2020-03-20T00:00:00
db:NVDid:CVE-2020-5863date:2020-03-27T15:15:12.600