Details of VAR-202007-1400

ID

VAR-202007-1400

CVE

CVE-2020-5909

TITLE

NGINX Controller Certificate validation vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-007466

DESCRIPTION

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified. NGINX Controller Exists in a certificate validation vulnerability.Information may be obtained and tampered with. F5 NGINX Controller is a centralized monitoring and management platform for NGINX from F5 Corporation in the United States. The platform supports managing multiple NGINX instances using a visual interface. F5 NGINX Controller version 1.0.1, version 2.0.0 to version 2.9.0 and version 3.0.0 to version 3.5.0 have a security vulnerability. The vulnerability is caused by the program not correctly validating the server TLS certificate. An attacker could exploit this vulnerability to intercept the communication channel and read or modify data in transit

Trust: 1.71

sources: NVD: CVE-2020-5909 // JVNDB: JVNDB-2020-007466 // VULHUB: VHN-184034

AFFECTED PRODUCTS

vendor:	f5	model:	nginx controller	scope:	eq	version:	1.0.1	Trust: 1.8
vendor:	f5	model:	nginx controller	scope:	lte	version:	2.9.0	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	lte	version:	3.5.0	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	gte	version:	3.0.0	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	gte	version:	2.0.0	Trust: 1.0
vendor:	f5	model:	nginx controller	scope:	eq	version:	2.0.0 から 2.9.0	Trust: 0.8
vendor:	f5	model:	nginx controller	scope:	eq	version:	3.0.0 から 3.5.0	Trust: 0.8

sources: JVNDB: JVNDB-2020-007466 // NVD: CVE-2020-5909

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-5909
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-007466
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202007-105
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-184034
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-5909
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-007466
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-184034
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-5909
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.5
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-007466
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-184034 // JVNDB: JVNDB-2020-007466 // CNNVD: CNNVD-202007-105 // NVD: CVE-2020-5909

PROBLEMTYPE DATA

problemtype:

CWE-295

Trust: 1.9

sources: VULHUB: VHN-184034 // JVNDB: JVNDB-2020-007466 // NVD: CVE-2020-5909

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-105

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202007-105

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-007466

PATCH

title:

K31150658

url:

https://support.f5.com/csp/article/K31150658

Trust: 0.8

sources: JVNDB: JVNDB-2020-007466

EXTERNAL IDS

db:	NVD	id:	CVE-2020-5909	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-007466	Trust: 0.8
db:	CNNVD	id:	CNNVD-202007-105	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.2264	Trust: 0.6
db:	VULHUB	id:	VHN-184034	Trust: 0.1

sources: VULHUB: VHN-184034 // JVNDB: JVNDB-2020-007466 // CNNVD: CNNVD-202007-105 // NVD: CVE-2020-5909

REFERENCES

url:	https://support.f5.com/csp/article/k31150658	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-5909	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5909	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.2264/	Trust: 0.6

sources: VULHUB: VHN-184034 // JVNDB: JVNDB-2020-007466 // CNNVD: CNNVD-202007-105 // NVD: CVE-2020-5909

SOURCES

db:	VULHUB	id:	VHN-184034
db:	JVNDB	id:	JVNDB-2020-007466
db:	CNNVD	id:	CNNVD-202007-105
db:	NVD	id:	CVE-2020-5909

LAST UPDATE DATE

2024-11-23T21:51:24.825000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-184034	date:	2020-07-08T00:00:00
db:	JVNDB	id:	JVNDB-2020-007466	date:	2020-08-14T00:00:00
db:	CNNVD	id:	CNNVD-202007-105	date:	2022-03-15T00:00:00
db:	NVD	id:	CVE-2020-5909	date:	2024-11-21T05:34:48.597

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-184034	date:	2020-07-02T00:00:00
db:	JVNDB	id:	JVNDB-2020-007466	date:	2020-08-14T00:00:00
db:	CNNVD	id:	CNNVD-202007-105	date:	2020-07-02T00:00:00
db:	NVD	id:	CVE-2020-5909	date:	2020-07-02T13:15:10.310