Search

Find a vulnerability

Search criteria

    11 vulnerabilities found for NGINX Instance Manager by F5

    CERTFR-2024-AVI-0952

    Vulnerability from certfr_avis - Published: 2024-11-08 - Updated: 2024-11-08

    Une vulnérabilité a été découverte dans les produits F5. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    F5 NGINX Ingress Controller NGINX Ingress Controller versions antérieures à 3.7.1
    F5 NGINX Plus NGINX Plus toutes versions
    F5 NGINX API Connectivity Manager NGINX API Connectivity Manager versions 1.x postérieures à 1.3.0 et antérieures à 1.9.3
    F5 NGINX Instance Manager NGINX Instance Manager versions 2.x postérieures à 2.5.0 et antérieures à 2.17.4
    References
    Bulletin de sécurité F5 K000148232 2024-11-06 vendor-advisory

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "NGINX Ingress Controller versions ant\u00e9rieures \u00e0 3.7.1",
          "product": {
            "name": "NGINX Ingress Controller",
            "vendor": {
              "name": "F5",
              "scada": false
            }
          }
        },
        {
          "description": "NGINX Plus toutes versions",
          "product": {
            "name": "NGINX Plus",
            "vendor": {
              "name": "F5",
              "scada": false
            }
          }
        },
        {
          "description": "NGINX API Connectivity Manager versions 1.x post\u00e9rieures \u00e0 1.3.0 et ant\u00e9rieures \u00e0 1.9.3",
          "product": {
            "name": "NGINX API Connectivity Manager",
            "vendor": {
              "name": "F5",
              "scada": false
            }
          }
        },
        {
          "description": "NGINX Instance Manager versions 2.x post\u00e9rieures \u00e0 2.5.0 et ant\u00e9rieures \u00e0 2.17.4",
          "product": {
            "name": "NGINX Instance Manager",
            "vendor": {
              "name": "F5",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2024-10318",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-10318"
        }
      ],
      "initial_release_date": "2024-11-08T00:00:00",
      "last_revision_date": "2024-11-08T00:00:00",
      "links": [],
      "reference": "CERTFR-2024-AVI-0952",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2024-11-08T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans les produits F5. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
      "title": "Vuln\u00e9rabilit\u00e9 dans les produits F5",
      "vendor_advisories": [
        {
          "published_at": "2024-11-06",
          "title": "Bulletin de s\u00e9curit\u00e9 F5 K000148232",
          "url": "https://my.f5.com/manage/s/article/K000148232"
        }
      ]
    }

    CERTFR-2022-AVI-704

    Vulnerability from certfr_avis - Published: 2022-08-04 - Updated: 2022-08-04

    De multiples vulnérabilités ont été découvertes dans les produits F5. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

    Solution

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    None
    Impacted products
    Vendor Product Description
    F5 BIG-IP BIG-IP (tous modules) versions 16.x antérieures à 16.1.3.1
    F5 BIG-IP BIG-IP (tous modules) versions 17.x antérieures à 17.0.0.1
    F5 BIG-IP BIG-IP (tous modules) versions 15.x antérieures à 15.1.6.1
    F5 NGINX Instance Manager NGINX Instance Manager versions 2.x antérieures à 2.3.1
    F5 BIG-IQ BIG-IQ Centralized Management versions 8.x antérieures à 8.2.0
    F5 NGINX Ingress Controller NGINX Ingress Controller versions 2.x antérieures à 2.3.0
    F5 BIG-IP BIG-IP (tous modules) versions 14.x antérieures à 14.1.5.1
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "BIG-IP (tous modules) versions 16.x ant\u00e9rieures \u00e0 16.1.3.1",
          "product": {
            "name": "BIG-IP",
            "vendor": {
              "name": "F5",
              "scada": false
            }
          }
        },
        {
          "description": "BIG-IP (tous modules) versions 17.x ant\u00e9rieures \u00e0 17.0.0.1",
          "product": {
            "name": "BIG-IP",
            "vendor": {
              "name": "F5",
              "scada": false
            }
          }
        },
        {
          "description": "BIG-IP (tous modules) versions 15.x ant\u00e9rieures \u00e0 15.1.6.1",
          "product": {
            "name": "BIG-IP",
            "vendor": {
              "name": "F5",
              "scada": false
            }
          }
        },
        {
          "description": "NGINX Instance Manager versions 2.x ant\u00e9rieures \u00e0 2.3.1",
          "product": {
            "name": "NGINX Instance Manager",
            "vendor": {
              "name": "F5",
              "scada": false
            }
          }
        },
        {
          "description": "BIG-IQ Centralized Management versions 8.x ant\u00e9rieures \u00e0 8.2.0",
          "product": {
            "name": "BIG-IQ",
            "vendor": {
              "name": "F5",
              "scada": false
            }
          }
        },
        {
          "description": "NGINX Ingress Controller versions 2.x ant\u00e9rieures \u00e0 2.3.0",
          "product": {
            "name": "NGINX Ingress Controller",
            "vendor": {
              "name": "F5",
              "scada": false
            }
          }
        },
        {
          "description": "BIG-IP (tous modules) versions 14.x ant\u00e9rieures \u00e0 14.1.5.1",
          "product": {
            "name": "BIG-IP",
            "vendor": {
              "name": "F5",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": null,
      "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
      "cves": [
        {
          "name": "CVE-2022-31473",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-31473"
        },
        {
          "name": "CVE-2022-35240",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-35240"
        },
        {
          "name": "CVE-2022-33203",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-33203"
        },
        {
          "name": "CVE-2022-30535",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30535"
        },
        {
          "name": "CVE-2022-35241",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-35241"
        },
        {
          "name": "CVE-2022-35243",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-35243"
        },
        {
          "name": "CVE-2022-34865",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-34865"
        },
        {
          "name": "CVE-2022-35236",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-35236"
        },
        {
          "name": "CVE-2022-34862",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-34862"
        },
        {
          "name": "CVE-2022-35728",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-35728"
        },
        {
          "name": "CVE-2022-34651",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-34651"
        },
        {
          "name": "CVE-2022-35272",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-35272"
        },
        {
          "name": "CVE-2022-34655",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-34655"
        },
        {
          "name": "CVE-2022-32455",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-32455"
        },
        {
          "name": "CVE-2022-35245",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-35245"
        },
        {
          "name": "CVE-2022-33947",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-33947"
        },
        {
          "name": "CVE-2022-35735",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-35735"
        },
        {
          "name": "CVE-2022-34844",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-34844"
        },
        {
          "name": "CVE-2022-33968",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-33968"
        },
        {
          "name": "CVE-2022-34851",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-34851"
        },
        {
          "name": "CVE-2022-33962",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-33962"
        }
      ],
      "initial_release_date": "2022-08-04T00:00:00",
      "last_revision_date": "2022-08-04T00:00:00",
      "links": [],
      "reference": "CERTFR-2022-AVI-704",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2022-08-04T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "D\u00e9ni de service \u00e0 distance"
        },
        {
          "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
        },
        {
          "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        },
        {
          "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
        },
        {
          "description": "\u00c9l\u00e9vation de privil\u00e8ges"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits F5.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits F5",
      "vendor_advisories": [
        {
          "published_at": null,
          "title": "Bulletin de s\u00e9curit\u00e9 F5 K14649763 du 03 ao\u00fbt 2022",
          "url": "https://support.f5.com/csp/article/K14649763"
        }
      ]
    }

    CVE-2024-10318 (GCVE-0-2024-10318)

    Vulnerability from nvd – Published: 2024-11-06 16:48 – Updated: 2024-11-06 16:57
    VLAI
    Title
    NGINX OpenID Connect Vulnerability
    Summary
    A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    f5
    References
    Impacted products
    Vendor Product Version
    F5 NGINX OpenID Connect Affected: fa1ad160e2637d1d583611124478039170d726ab , < 133504f4fd9f72f3e36668f9f2f3d32a86fcb269 (git)
    Create a notification for this product.
    F5 NGINX Instance Manager Affected: 2.5.0 , < 2.17.4 (semver)
    Create a notification for this product.
    F5 NGINX API Connectivity Manager Affected: 1.0.0 , < 1.9.3 (semver)
    Create a notification for this product.
    F5 NGINX Ingress Controller Affected: 1.0.0 , < 3.7.1 (semver)
    Create a notification for this product.
    Date Public
    2024-11-06 15:00
    Credits
    Christian August Holm Hansen of Binary Security AS
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10318",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-06T16:57:19.535215Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-06T16:57:40.692Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "NGINX OpenID Connect",
              "repo": "https://github.com/nginxinc/nginx-openid-connect/",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "133504f4fd9f72f3e36668f9f2f3d32a86fcb269",
                  "status": "affected",
                  "version": "fa1ad160e2637d1d583611124478039170d726ab",
                  "versionType": "git"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "NGINX Instance Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "2.17.4",
                  "status": "affected",
                  "version": "2.5.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "NGINX API Connectivity Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.9.3",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "NGINX Ingress Controller",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "3.7.1",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Christian August Holm Hansen of Binary Security AS"
            }
          ],
          "datePublic": "2024-11-06T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim\u0027s session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim\u0027s session.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim\u0027s session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim\u0027s session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-384",
                  "description": "CWE-384 Session Fixation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T16:48:56.128Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://my.f5.com/manage/s/article/K000148232"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "NGINX OpenID Connect Vulnerability",
          "x_generator": {
            "engine": "F5 SIRTBot v1.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2024-10318",
        "datePublished": "2024-11-06T16:48:56.128Z",
        "dateReserved": "2024-10-23T19:34:33.203Z",
        "dateUpdated": "2024-11-06T16:57:40.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28724 (GCVE-0-2023-28724)

    Vulnerability from nvd – Published: 2023-05-03 14:34 – Updated: 2025-02-13 16:48
    VLAI
    Title
    NGINX Management Suite vulnerability
    Summary
    NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    f5
    Impacted products
    Vendor Product Version
    F5 NGINX Instance Manager Affected: 2.0.0 , < 2.9.0 (semver)
    Affected: 1.0.0 , < * (semver)
    Create a notification for this product.
    F5 NGINX API Connectivity Manager Affected: 1.0.0 , < 1.5.0 (semver)
    Create a notification for this product.
    F5 NGINX Security Monitoring Affected: 1.0.0 , < 1.3.0 (semver)
    Create a notification for this product.
    Date Public
    2023-05-03 14:00
    Credits
    F5
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:43:23.736Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K000133233"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230609-0006/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28724",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T18:25:48.222409Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T18:26:08.645Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "platforms": [
                "Linux"
              ],
              "product": "NGINX Instance Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "2.9.0",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "*",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "platforms": [
                "Linux"
              ],
              "product": "NGINX API Connectivity Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.5.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "platforms": [
                "Linux"
              ],
              "product": "NGINX Security Monitoring",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.3.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "F5"
            }
          ],
          "datePublic": "2023-05-03T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager.\u0026nbsp;\u0026nbsp;\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276 Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-09T07:06:25.547Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://my.f5.com/manage/s/article/K000133233"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230609-0006/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "NGINX Management Suite vulnerability",
          "x_generator": {
            "engine": "F5 SIRTBot v1.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2023-28724",
        "datePublished": "2023-05-03T14:34:28.973Z",
        "dateReserved": "2023-04-14T23:08:02.613Z",
        "dateUpdated": "2025-02-13T16:48:50.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28656 (GCVE-0-2023-28656)

    Vulnerability from nvd – Published: 2023-05-03 14:34 – Updated: 2025-02-13 16:48
    VLAI
    Title
    NGINX Management Suite vulnerability
    Summary
    NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    f5
    Impacted products
    Date Public
    2023-05-03 14:00
    Credits
    F5
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:43:23.635Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K000133417"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230609-0006/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28656",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-29T20:14:49.251967Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-29T20:14:57.445Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "platforms": [
                "Linux"
              ],
              "product": "NGINX Instance Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "2.9.0",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "platforms": [
                "Linux"
              ],
              "product": "NGINX API Connectivity Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.5.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "platforms": [
                "Linux"
              ],
              "product": "NGINX Security Monitoring",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.3.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "F5"
            }
          ],
          "datePublic": "2023-05-03T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment.\u0026nbsp;\u0026nbsp;\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\u003c/span\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-09T07:06:27.054Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://my.f5.com/manage/s/article/K000133417"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230609-0006/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "NGINX Management Suite vulnerability",
          "x_generator": {
            "engine": "F5 SIRTBot v1.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2023-28656",
        "datePublished": "2023-05-03T14:34:11.577Z",
        "dateReserved": "2023-04-14T23:08:02.609Z",
        "dateUpdated": "2025-02-13T16:48:48.509Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-35241 (GCVE-0-2022-35241)

    Vulnerability from nvd – Published: 2022-08-04 17:49 – Updated: 2024-09-16 16:24
    VLAI
    Title
    NGINX Instance Manager vulnerability CVE-2022-35241
    Summary
    In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    f5
    References
    Impacted products
    Vendor Product Version
    F5 NGINX Instance Manager Affected: 2.x , < 2.3.1 (custom)
    Affected: 1.0.0 , < 1.x* (custom)
    Create a notification for this product.
    Date Public
    2022-08-03 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T09:29:17.434Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K37080719"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "NGINX Instance Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "2.3.1",
                  "status": "affected",
                  "version": "2.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.x*",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-08-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-04T17:49:06.000Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.f5.com/csp/article/K37080719"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "NGINX Instance Manager vulnerability CVE-2022-35241",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "f5sirt@f5.com",
              "DATE_PUBLIC": "2022-08-03T14:00:00.000Z",
              "ID": "CVE-2022-35241",
              "STATE": "PUBLIC",
              "TITLE": "NGINX Instance Manager vulnerability CVE-2022-35241"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "NGINX Instance Manager",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.x",
                                "version_value": "2.3.1"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_name": "1.x",
                                "version_value": "1.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "F5"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.f5.com/csp/article/K37080719",
                  "refsource": "MISC",
                  "url": "https://support.f5.com/csp/article/K37080719"
                }
              ]
            },
            "source": {
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2022-35241",
        "datePublished": "2022-08-04T17:49:06.414Z",
        "dateReserved": "2022-07-19T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:24:08.770Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-10318 (GCVE-0-2024-10318)

    Vulnerability from cvelistv5 – Published: 2024-11-06 16:48 – Updated: 2024-11-06 16:57
    VLAI
    Title
    NGINX OpenID Connect Vulnerability
    Summary
    A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    f5
    References
    Impacted products
    Vendor Product Version
    F5 NGINX OpenID Connect Affected: fa1ad160e2637d1d583611124478039170d726ab , < 133504f4fd9f72f3e36668f9f2f3d32a86fcb269 (git)
    Create a notification for this product.
    F5 NGINX Instance Manager Affected: 2.5.0 , < 2.17.4 (semver)
    Create a notification for this product.
    F5 NGINX API Connectivity Manager Affected: 1.0.0 , < 1.9.3 (semver)
    Create a notification for this product.
    F5 NGINX Ingress Controller Affected: 1.0.0 , < 3.7.1 (semver)
    Create a notification for this product.
    Date Public
    2024-11-06 15:00
    Credits
    Christian August Holm Hansen of Binary Security AS
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10318",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-06T16:57:19.535215Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-06T16:57:40.692Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "NGINX OpenID Connect",
              "repo": "https://github.com/nginxinc/nginx-openid-connect/",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "133504f4fd9f72f3e36668f9f2f3d32a86fcb269",
                  "status": "affected",
                  "version": "fa1ad160e2637d1d583611124478039170d726ab",
                  "versionType": "git"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "NGINX Instance Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "2.17.4",
                  "status": "affected",
                  "version": "2.5.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "NGINX API Connectivity Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.9.3",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "NGINX Ingress Controller",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "3.7.1",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Christian August Holm Hansen of Binary Security AS"
            }
          ],
          "datePublic": "2024-11-06T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim\u0027s session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim\u0027s session.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim\u0027s session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim\u0027s session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-384",
                  "description": "CWE-384 Session Fixation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-06T16:48:56.128Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://my.f5.com/manage/s/article/K000148232"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "NGINX OpenID Connect Vulnerability",
          "x_generator": {
            "engine": "F5 SIRTBot v1.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2024-10318",
        "datePublished": "2024-11-06T16:48:56.128Z",
        "dateReserved": "2024-10-23T19:34:33.203Z",
        "dateUpdated": "2024-11-06T16:57:40.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28724 (GCVE-0-2023-28724)

    Vulnerability from cvelistv5 – Published: 2023-05-03 14:34 – Updated: 2025-02-13 16:48
    VLAI
    Title
    NGINX Management Suite vulnerability
    Summary
    NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    f5
    Impacted products
    Vendor Product Version
    F5 NGINX Instance Manager Affected: 2.0.0 , < 2.9.0 (semver)
    Affected: 1.0.0 , < * (semver)
    Create a notification for this product.
    F5 NGINX API Connectivity Manager Affected: 1.0.0 , < 1.5.0 (semver)
    Create a notification for this product.
    F5 NGINX Security Monitoring Affected: 1.0.0 , < 1.3.0 (semver)
    Create a notification for this product.
    Date Public
    2023-05-03 14:00
    Credits
    F5
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:43:23.736Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K000133233"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230609-0006/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28724",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T18:25:48.222409Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T18:26:08.645Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "platforms": [
                "Linux"
              ],
              "product": "NGINX Instance Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "2.9.0",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "*",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "platforms": [
                "Linux"
              ],
              "product": "NGINX API Connectivity Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.5.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "platforms": [
                "Linux"
              ],
              "product": "NGINX Security Monitoring",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.3.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "F5"
            }
          ],
          "datePublic": "2023-05-03T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager.\u0026nbsp;\u0026nbsp;\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276 Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-09T07:06:25.547Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://my.f5.com/manage/s/article/K000133233"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230609-0006/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "NGINX Management Suite vulnerability",
          "x_generator": {
            "engine": "F5 SIRTBot v1.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2023-28724",
        "datePublished": "2023-05-03T14:34:28.973Z",
        "dateReserved": "2023-04-14T23:08:02.613Z",
        "dateUpdated": "2025-02-13T16:48:50.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28656 (GCVE-0-2023-28656)

    Vulnerability from cvelistv5 – Published: 2023-05-03 14:34 – Updated: 2025-02-13 16:48
    VLAI
    Title
    NGINX Management Suite vulnerability
    Summary
    NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    f5
    Impacted products
    Date Public
    2023-05-03 14:00
    Credits
    F5
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:43:23.635Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://my.f5.com/manage/s/article/K000133417"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230609-0006/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28656",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-29T20:14:49.251967Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-29T20:14:57.445Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "platforms": [
                "Linux"
              ],
              "product": "NGINX Instance Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "2.9.0",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "platforms": [
                "Linux"
              ],
              "product": "NGINX API Connectivity Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.5.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "platforms": [
                "Linux"
              ],
              "product": "NGINX Security Monitoring",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.3.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "F5"
            }
          ],
          "datePublic": "2023-05-03T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment.\u0026nbsp;\u0026nbsp;\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\u003c/span\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-09T07:06:27.054Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://my.f5.com/manage/s/article/K000133417"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230609-0006/"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "NGINX Management Suite vulnerability",
          "x_generator": {
            "engine": "F5 SIRTBot v1.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2023-28656",
        "datePublished": "2023-05-03T14:34:11.577Z",
        "dateReserved": "2023-04-14T23:08:02.609Z",
        "dateUpdated": "2025-02-13T16:48:48.509Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-35241 (GCVE-0-2022-35241)

    Vulnerability from cvelistv5 – Published: 2022-08-04 17:49 – Updated: 2024-09-16 16:24
    VLAI
    Title
    NGINX Instance Manager vulnerability CVE-2022-35241
    Summary
    In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    f5
    References
    Impacted products
    Vendor Product Version
    F5 NGINX Instance Manager Affected: 2.x , < 2.3.1 (custom)
    Affected: 1.0.0 , < 1.x* (custom)
    Create a notification for this product.
    Date Public
    2022-08-03 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T09:29:17.434Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://support.f5.com/csp/article/K37080719"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "NGINX Instance Manager",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "2.3.1",
                  "status": "affected",
                  "version": "2.x",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.x*",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-08-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-04T17:49:06.000Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://support.f5.com/csp/article/K37080719"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "NGINX Instance Manager vulnerability CVE-2022-35241",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "f5sirt@f5.com",
              "DATE_PUBLIC": "2022-08-03T14:00:00.000Z",
              "ID": "CVE-2022-35241",
              "STATE": "PUBLIC",
              "TITLE": "NGINX Instance Manager vulnerability CVE-2022-35241"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "NGINX Instance Manager",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.x",
                                "version_value": "2.3.1"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_name": "1.x",
                                "version_value": "1.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "F5"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://support.f5.com/csp/article/K37080719",
                  "refsource": "MISC",
                  "url": "https://support.f5.com/csp/article/K37080719"
                }
              ]
            },
            "source": {
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2022-35241",
        "datePublished": "2022-08-04T17:49:06.414Z",
        "dateReserved": "2022-07-19T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:24:08.770Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    VAR-202208-0209

    Vulnerability from variot - Updated: 2024-08-14 14:55

    In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. NGINX Instance Manager Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202208-0209",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "nginx instance manager",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "f5",
            "version": "1.0.0"
          },
          {
            "model": "nginx instance manager",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "f5",
            "version": "2.0.0"
          },
          {
            "model": "nginx instance manager",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "f5",
            "version": "2.3.1"
          },
          {
            "model": "nginx instance manager",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "f5",
            "version": "1.0.4"
          },
          {
            "model": "nginx instance manager",
            "scope": null,
            "trust": 0.8,
            "vendor": "f5",
            "version": null
          },
          {
            "model": "nginx instance manager",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "f5",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-016713"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-35241"
          }
        ]
      },
      "cve": "CVE-2022-35241",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 2.8,
                "id": "CVE-2022-35241",
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "OTHER",
                "availabilityImpact": "High",
                "baseScore": 6.5,
                "baseSeverity": "Medium",
                "confidentialityImpact": "None",
                "exploitabilityScore": null,
                "id": "JVNDB-2022-016713",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2022-35241",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "f5sirt@f5.com",
                "id": "CVE-2022-35241",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2022-016713",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202208-2060",
                "trust": 0.6,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-016713"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-2060"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-35241"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-35241"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. NGINX Instance Manager Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-35241"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-016713"
          },
          {
            "db": "VULHUB",
            "id": "VHN-431571"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-35241"
          }
        ],
        "trust": 1.8
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-35241",
            "trust": 3.4
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-016713",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-2060",
            "trust": 0.6
          },
          {
            "db": "VULHUB",
            "id": "VHN-431571",
            "trust": 0.1
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-35241",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-431571"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-35241"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-016713"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-2060"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-35241"
          }
        ]
      },
      "id": "VAR-202208-0209",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-431571"
          }
        ],
        "trust": 0.01
      },
      "last_update_date": "2024-08-14T14:55:19.138000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "K37080719",
            "trust": 0.8,
            "url": "https://my.f5.com/manage/s/article/K37080719"
          },
          {
            "title": "F5 BIG-IP Remediation of resource management error vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=203494"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-016713"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-2060"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-400",
            "trust": 1.1
          },
          {
            "problemtype": "Resource exhaustion (CWE-400) [ others ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-431571"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-016713"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-35241"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://support.f5.com/csp/article/k37080719"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-35241"
          },
          {
            "trust": 0.6,
            "url": "https://vigilance.fr/vulnerability/f5-big-ip-multiple-vulnerabilities-38983"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-35241/"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/400.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-431571"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-35241"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-016713"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-2060"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-35241"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-431571"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-35241"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-016713"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-2060"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-35241"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-08-04T00:00:00",
            "db": "VULHUB",
            "id": "VHN-431571"
          },
          {
            "date": "2022-08-04T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-35241"
          },
          {
            "date": "2023-10-06T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-016713"
          },
          {
            "date": "2022-08-03T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202208-2060"
          },
          {
            "date": "2022-08-04T18:15:10.597000",
            "db": "NVD",
            "id": "CVE-2022-35241"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-08-10T00:00:00",
            "db": "VULHUB",
            "id": "VHN-431571"
          },
          {
            "date": "2022-08-04T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-35241"
          },
          {
            "date": "2023-10-06T02:18:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-016713"
          },
          {
            "date": "2022-08-11T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202208-2060"
          },
          {
            "date": "2022-08-10T19:04:33.003000",
            "db": "NVD",
            "id": "CVE-2022-35241"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-2060"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "NGINX\u00a0Instance\u00a0Manager\u00a0 Resource exhaustion vulnerability in",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-016713"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "resource management error",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-2060"
          }
        ],
        "trust": 0.6
      }
    }