Local System Vulnerability in NGINX Controller by F5 Networks
CVE-2020-5895

7.8HIGH

Key Information:

Vendor: F5
Status: Nginx Controller
Vendor: CVE Published:; 7 May 2020

Summary

The NGINX Controller, specifically in versions 3.1.0 to 3.3.0, contains a vulnerability due to AVRD using inadequate permissions on its socket. This flaw exposes the socket to world-readable and world-writable access, enabling malicious processes or users on the local system to inject arbitrary data. Such an attack can lead to instability in the AVRD, causing segmentation faults and potential disruption of services.

Affected Version(s)

NGINX Controller < 3.4.0

References

https://support.f5.com/csp/article/K95120415

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20200522-0001/

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 7, 2020
Vulnerability Reserved
Jan 6, 2020