Every CVE whose affected-product data names F5 Nginx Controller, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (18)
CVE-2020-27730 — CVSS 9.8 (critical): In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities.
CVE-2020-5901 — CVSS 9.6 (critical): In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user…
CVE-2020-5900 — CVSS 8.8 (high): In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient cross-site request forgery (CSRF) protections for the NGINX…
CVE-2020-5863 — CVSS 8.6 (high): In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged…
CVE-2020-5867 — CVSS 8.1 (high): In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install…
CVE-2020-5894 — CVSS 8.1 (high): On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out.
CVE-2021-23019 — CVSS 7.8 (high): The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included…
CVE-2020-5895 — CVSS 7.8 (high): On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and world-writable permissions on its socket, which allows processes or…
CVE-2020-5899 — CVSS 7.8 (high): In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain…
CVE-2020-5910 — CVSS 7.5 (high): In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX…
CVE-2020-5864 — CVSS 7.4 (high): In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by…
CVE-2021-23018 — CVSS 7.4 (high): Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext…
CVE-2020-5911 — CVSS 7.3 (high): In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL…
CVE-2021-23021 — CVSS 5.5 (medium): The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission…
CVE-2020-5866 — CVSS 5.5 (medium): In versions of NGINX Controller prior to 3.3.0, the helper.sh script, which is used optionally in NGINX Controller to change settings, uses…
CVE-2021-23020 — CVSS 5.5 (medium): The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to…
CVE-2020-5909 — CVSS 5.4 (medium): In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the…
CVE-2020-5865 — CVSS 4.8 (medium): In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels…