NGINX Controller Agent Installer Script Vulnerability in F5 Networks
CVE-2020-5867

8.1HIGH

Key Information:

Vendor: F5
Status: Nginx Controller
Vendor: CVE Published:; 23 April 2020

Summary

The NGINX Controller Agent installer script, 'install.sh', prior to version 3.3.0 utilizes HTTP instead of HTTPS for package checking and installation. This oversight allows potential attackers to intercept and manipulate the installation process, leading to security risks such as data integrity issues and unauthorized access to system resources. Users are encouraged to upgrade to the latest version to mitigate this vulnerability and ensure secure package management.

Affected Version(s)

NGINX Controller < 3.3.0

References

https://support.f5.com/csp/article/K00958787

x_refsource_CONFIRM

https://security.netapp.com/advisory/ntap-20200430-0005/

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 23, 2020
Vulnerability Reserved
Jan 6, 2020