Details of VAR-202004-2011

ID

VAR-202004-2011

CVE

CVE-2020-5867

TITLE

NGINX Controller Agent Input verification vulnerability in installer

Trust: 0.8

sources: JVNDB: JVNDB-2020-004670

DESCRIPTION

In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages. NGINX Controller Agent An input verification vulnerability exists in the installer.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. F5 NGINX Controller is a centralized monitoring and management platform for NGINX from F5 Corporation in the United States. The platform supports managing multiple NGINX instances using a visual interface. There is a security vulnerability in F5 NGINX Controller versions prior to 3.3.0. Attackers can exploit this vulnerability to install malicious software packages

Trust: 1.71

sources: NVD: CVE-2020-5867 // JVNDB: JVNDB-2020-004670 // VULHUB: VHN-183992

AFFECTED PRODUCTS

vendor:	f5	model:	nginx controller	scope:	lte	version:	2.9.0	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	lt	version:	3.3.0	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	gte	version:	3.0.0	Trust: 1.0
vendor:	netapp	model:	cloud backup	scope:	eq	version:	-	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	eq	version:	1.0.1	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	gte	version:	2.0.0	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	eq	version:	3.3.0	Trust: 0.8

sources: JVNDB: JVNDB-2020-004670 // NVD: CVE-2020-5867

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-5867
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-004670
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202004-2026
value:	HIGH
Trust: 0.6
VULHUB:	VHN-183992
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-5867
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-004670
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-183992
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-5867
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-004670
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-183992 // JVNDB: JVNDB-2020-004670 // CNNVD: CNNVD-202004-2026 // NVD: CVE-2020-5867

PROBLEMTYPE DATA

problemtype:	CWE-319	Trust: 1.1
problemtype:	CWE-494	Trust: 1.1
problemtype:	CWE-20	Trust: 0.9

sources: VULHUB: VHN-183992 // JVNDB: JVNDB-2020-004670 // NVD: CVE-2020-5867

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-2026

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202004-2026

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-004670

PATCH

title:

K00958787

url:

https://support.f5.com/csp/article/K00958787

Trust: 0.8

sources: JVNDB: JVNDB-2020-004670

EXTERNAL IDS

db:	NVD	id:	CVE-2020-5867	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-004670	Trust: 0.8
db:	CNNVD	id:	CNNVD-202004-2026	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.1419	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.1419.2	Trust: 0.6
db:	CNVD	id:	CNVD-2020-33472	Trust: 0.1
db:	VULHUB	id:	VHN-183992	Trust: 0.1

sources: VULHUB: VHN-183992 // JVNDB: JVNDB-2020-004670 // CNNVD: CNNVD-202004-2026 // NVD: CVE-2020-5867

REFERENCES

url:	https://security.netapp.com/advisory/ntap-20200430-0005/	Trust: 1.7
url:	https://support.f5.com/csp/article/k00958787	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-5867	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5867	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.1419.2/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1419/	Trust: 0.6

sources: VULHUB: VHN-183992 // JVNDB: JVNDB-2020-004670 // CNNVD: CNNVD-202004-2026 // NVD: CVE-2020-5867

SOURCES

db:	VULHUB	id:	VHN-183992
db:	JVNDB	id:	JVNDB-2020-004670
db:	CNNVD	id:	CNNVD-202004-2026
db:	NVD	id:	CVE-2020-5867

LAST UPDATE DATE

2024-11-23T21:51:29.984000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-183992	date:	2022-04-26T00:00:00
db:	JVNDB	id:	JVNDB-2020-004670	date:	2020-05-25T00:00:00
db:	CNNVD	id:	CNNVD-202004-2026	date:	2022-04-27T00:00:00
db:	NVD	id:	CVE-2020-5867	date:	2024-11-21T05:34:43.950

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-183992	date:	2020-04-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-004670	date:	2020-05-25T00:00:00
db:	CNNVD	id:	CNNVD-202004-2026	date:	2020-04-23T00:00:00
db:	NVD	id:	CVE-2020-5867	date:	2020-04-23T20:15:13.163