Insufficient CSRF Protections in NGINX Controller by F5 Networks
CVE-2020-5900

8.8HIGH

Key Information:

Vendor: F5
Status: Nginx Controller
Vendor: CVE Published:; 1 July 2020

Summary

The NGINX Controller from F5 Networks, in specific versions, lacks adequate protections against Cross-Site Request Forgery. This vulnerability arises from insufficient safeguards within the user interface, potentially allowing unauthenticated users to perform actions on behalf of authenticated users without their consent. Organizations using affected versions should ensure they implement additional security measures to mitigate the risks associated with this vulnerability.

Affected Version(s)

NGINX Controller 3.0.0-3.4.0, 2.0.0-2.9.0, 1.0.1

References

https://support.f5.com/csp/article/K31044532

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 1, 2020
Vulnerability Reserved
Jan 6, 2020