Details of VAR-202007-1103

ID

VAR-202007-1103

CVE

CVE-2020-5910

TITLE

Neural Autonomic Transport System Authentication vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-007700

DESCRIPTION

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized. F5 NGINX Controller is a centralized monitoring and management platform for NGINX from F5 Corporation in the United States. The platform supports managing multiple NGINX instances using a visual interface. There is a security vulnerability in the NGINX controller NATS message service in F5 NGINX Controller version 1.0.1, 2.0.0 to 2.9.0, and 3.0.0 to 3.5.0. The vulnerability stems from the fact that the program does not perform any form of authentication . Attackers can use this vulnerability to eavesdrop on NATS connections and obtain data stored in message queues

Trust: 1.71

sources: NVD: CVE-2020-5910 // JVNDB: JVNDB-2020-007700 // VULHUB: VHN-184035

AFFECTED PRODUCTS

vendor:	f5	model:	nginx controller	scope:	eq	version:	1.0.1	Trust: 1.8
vendor:	f5	model:	nginx controller	scope:	lte	version:	2.9.0	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	lte	version:	3.5.0	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	gte	version:	3.0.0	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	gte	version:	2.0.0	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	eq	version:	2.0.0 から 2.9.0	Trust: 0.8
vendor:	f5	model:	nginx controller	scope:	eq	version:	3.0.0 から 3.5.0	Trust: 0.8

sources: JVNDB: JVNDB-2020-007700 // NVD: CVE-2020-5910

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-5910
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-007700
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202007-106
value:	HIGH
Trust: 0.6
VULHUB:	VHN-184035
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-5910
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-007700
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-184035
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-5910
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-007700
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-184035 // JVNDB: JVNDB-2020-007700 // CNNVD: CNNVD-202007-106 // NVD: CVE-2020-5910

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.1
problemtype:	CWE-287	Trust: 0.9

sources: VULHUB: VHN-184035 // JVNDB: JVNDB-2020-007700 // NVD: CVE-2020-5910

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-106

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202007-106

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-007700

PATCH

title:

K59209532

url:

https://support.f5.com/csp/article/K59209532

Trust: 0.8

sources: JVNDB: JVNDB-2020-007700

EXTERNAL IDS

db:	NVD	id:	CVE-2020-5910	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-007700	Trust: 0.8
db:	CNNVD	id:	CNNVD-202007-106	Trust: 0.7
db:	NSFOCUS	id:	47053	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2264	Trust: 0.6
db:	VULHUB	id:	VHN-184035	Trust: 0.1

sources: VULHUB: VHN-184035 // JVNDB: JVNDB-2020-007700 // CNNVD: CNNVD-202007-106 // NVD: CVE-2020-5910

REFERENCES

url:	https://support.f5.com/csp/article/k59209532	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-5910	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5910	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.2264/	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/47053	Trust: 0.6

sources: VULHUB: VHN-184035 // JVNDB: JVNDB-2020-007700 // CNNVD: CNNVD-202007-106 // NVD: CVE-2020-5910

SOURCES

db:	VULHUB	id:	VHN-184035
db:	JVNDB	id:	JVNDB-2020-007700
db:	CNNVD	id:	CNNVD-202007-106
db:	NVD	id:	CVE-2020-5910

LAST UPDATE DATE

2024-11-23T21:51:24.850000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-184035	date:	2021-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2020-007700	date:	2020-08-21T00:00:00
db:	CNNVD	id:	CNNVD-202007-106	date:	2020-07-15T00:00:00
db:	NVD	id:	CVE-2020-5910	date:	2024-11-21T05:34:48.707

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-184035	date:	2020-07-02T00:00:00
db:	JVNDB	id:	JVNDB-2020-007700	date:	2020-08-21T00:00:00
db:	CNNVD	id:	CNNVD-202007-106	date:	2020-07-02T00:00:00
db:	NVD	id:	CVE-2020-5910	date:	2020-07-02T13:15:10.373