NGINX Service Mesh Control Plane Vulnerability Exposes Endpoints
CVE-2022-27495

6.5MEDIUM

Key Information:

Vendor: F5
Status: Nginx Service Mesh
Vendor: CVE Published:; 5 May 2022

Summary

A significant vulnerability exists in NGINX Service Mesh where control plane endpoints are exposed to the cluster overlay network in all versions 1.3.x. This exposure may lead to unauthorized access and manipulation of the service mesh, potentially compromising the integrity of the applications and services managed within the cluster environment. Users are encouraged to upgrade to version 1.4.0 or later to mitigate this issue and secure their deployments.

Affected Version(s)

NGINX Service Mesh 1.3.x

NGINX Service Mesh 1.4.0 < 1.4.x*

References

https://support.f5.com/csp/article/K94093538

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 5, 2022
Vulnerability Reserved
Apr 19, 2022