Vulnerability-Lookup

CVE-2020-5909 (GCVE-0-2020-5909)

Vulnerability from cvelistv5 – Published: 2020-07-02 12:26 – Updated: 2024-08-04 08:47

Summary

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.

Severity ?

No CVSS data available.

CWE

MITM

Assigner

References

URL

	Vendor	Product	Version
	n/a	NGINX Controller	Affected: 3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1

CNVD-2021-18398

Vulnerability from cnvd - Published: 2021-03-18

Title

F5 NGINX Controller信任管理问题漏洞（CNVD-2021-18398）

Description

F5 NGINX Controller是美国F5公司的一款用于NGINX的集中式监视和管理平台。该平台支持使用可视化界面管理多个NGINX实例。 F5 NGINX Controller 1.0.1版本、2.0.0版本至2.9.0版本和3.0.0版本至3.5.0版本中存在安全漏洞，该漏洞源于程序未能正确验证服务器TLS证书。攻击者可利用该漏洞拦截通信通道并读取或修改传输中的数据。

Severity

中

Formal description

目前厂商发布了该软件3.x版本的修复措施，该软件1.x版本和2.x版本的修复措施暂未发布，详情请参考链接： https://support.f5.com/csp/article/K31150658

Reference

https://www.auscert.org.au/bulletins/ESB-2020.2264/

Impacted products

Name
['F5 NGINX Controller 1.0.1', 'F5 NGINX Controller >=2.0.0，<=2.9.0', 'F5 NGINX Controller >=3.0.0，<=3.5.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-5909"
    }
  },
  "description": "F5 NGINX Controller\u662f\u7f8e\u56fdF5\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8eNGINX\u7684\u96c6\u4e2d\u5f0f\u76d1\u89c6\u548c\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u4f7f\u7528\u53ef\u89c6\u5316\u754c\u9762\u7ba1\u7406\u591a\u4e2aNGINX\u5b9e\u4f8b\u3002\n\nF5 NGINX Controller 1.0.1\u7248\u672c\u30012.0.0\u7248\u672c\u81f32.9.0\u7248\u672c\u548c3.0.0\u7248\u672c\u81f33.5.0\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u9a8c\u8bc1\u670d\u52a1\u5668TLS\u8bc1\u4e66\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u62e6\u622a\u901a\u4fe1\u901a\u9053\u5e76\u8bfb\u53d6\u6216\u4fee\u6539\u4f20\u8f93\u4e2d\u7684\u6570\u636e\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u53d1\u5e03\u4e86\u8be5\u8f6f\u4ef63.x\u7248\u672c\u7684\u4fee\u590d\u63aa\u65bd\uff0c\u8be5\u8f6f\u4ef61.x\u7248\u672c\u548c2.x\u7248\u672c\u7684\u4fee\u590d\u63aa\u65bd\u6682\u672a\u53d1\u5e03\uff0c\u8be6\u60c5\u8bf7\u53c2\u8003\u94fe\u63a5\uff1a\r\nhttps://support.f5.com/csp/article/K31150658",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-18398",
  "openTime": "2021-03-18",
  "products": {
    "product": [
      "F5 NGINX Controller 1.0.1",
      "F5 NGINX Controller \u003e=2.0.0\uff0c\u003c=2.9.0",
      "F5 NGINX Controller \u003e=3.0.0\uff0c\u003c=3.5.0"
    ]
  },
  "referenceLink": "https://www.auscert.org.au/bulletins/ESB-2020.2264/",
  "serverity": "\u4e2d",
  "submitTime": "2020-07-02",
  "title": "F5 NGINX Controller\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2021-18398\uff09"
}

FKIE_CVE-2020-5909

Vulnerability from fkie_nvd - Published: 2020-07-02 13:15 - Updated: 2024-11-21 05:34

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.

References

	URL	Tags
	f5sirt@f5.com	https://support.f5.com/csp/article/K31150658	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://support.f5.com/csp/article/K31150658	Vendor Advisory

Impacted products

Vendor	Product	Version
f5	nginx_controller	*
f5	nginx_controller	*
f5	nginx_controller	1.0.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3CA86CB0-F33A-4B9C-AAFC-8AC3F0071A31",
              "versionEndIncluding": "2.9.0",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B096D372-9687-436E-AD7E-452260DE5774",
              "versionEndIncluding": "3.5.0",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:nginx_controller:1.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D96CC675-BA26-4E41-B8F1-63F643E022D0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified."
    },
    {
      "lang": "es",
      "value": "En las versiones 3.0.0 hasta 3.5.0, 2.0.0 hasta 2.9.0 y 1.0.1, cuando los usuarios ejecutan el comando desplegado en la Interfaz de Usuario (UI) del NGINX Controller para obtener el instalador del agente, el certificado TLS del servidor no es verificado"
    }
  ],
  "id": "CVE-2020-5909",
  "lastModified": "2024-11-21T05:34:48.597",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-02T13:15:10.310",
  "references": [
    {
      "source": "f5sirt@f5.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.f5.com/csp/article/K31150658"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.f5.com/csp/article/K31150658"
    }
  ],
  "sourceIdentifier": "f5sirt@f5.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-989X-V562-XR5M

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22

Details

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-5909"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-02T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.",
  "id": "GHSA-989x-v562-xr5m",
  "modified": "2022-05-24T17:22:21Z",
  "published": "2022-05-24T17:22:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5909"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K31150658"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2020-5909

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.

Aliases

CVE-2020-5909

Aliases

CVE-2020-5909

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-5909",
    "description": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.",
    "id": "GSD-2020-5909"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-5909"
      ],
      "details": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.",
      "id": "GSD-2020-5909",
      "modified": "2023-12-13T01:22:03.280653Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "f5sirt@f5.com",
        "ID": "CVE-2020-5909",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "NGINX Controller",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "3.0.0-3.5.0, 2.0.0-2.9.0, 1.0.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "MITM"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://support.f5.com/csp/article/K31150658",
            "refsource": "MISC",
            "url": "https://support.f5.com/csp/article/K31150658"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:f5:nginx_controller:1.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.9.0",
                "versionStartIncluding": "2.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:f5:nginx_controller:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.5.0",
                "versionStartIncluding": "3.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "f5sirt@f5.com",
          "ID": "CVE-2020-5909"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-295"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.f5.com/csp/article/K31150658",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://support.f5.com/csp/article/K31150658"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.5
        }
      },
      "lastModifiedDate": "2020-07-08T18:28Z",
      "publishedDate": "2020-07-02T13:15Z"
    }
  }
}

VAR-202007-1400

Vulnerability from variot - Updated: 2024-11-23 21:51

In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified. NGINX Controller Exists in a certificate validation vulnerability.Information may be obtained and tampered with. F5 NGINX Controller is a centralized monitoring and management platform for NGINX from F5 Corporation in the United States. The platform supports managing multiple NGINX instances using a visual interface. F5 NGINX Controller version 1.0.1, version 2.0.0 to version 2.9.0 and version 3.0.0 to version 3.5.0 have a security vulnerability. The vulnerability is caused by the program not correctly validating the server TLS certificate. An attacker could exploit this vulnerability to intercept the communication channel and read or modify data in transit

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202007-1400",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "nginx controller",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "f5",
        "version": "1.0.1"
      },
      {
        "model": "nginx controller",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "f5",
        "version": "2.9.0"
      },
      {
        "model": "nginx controller",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "f5",
        "version": "3.5.0"
      },
      {
        "model": "nginx controller",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "f5",
        "version": "3.0.0"
      },
      {
        "model": "nginx controller",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "f5",
        "version": "2.0.0"
      },
      {
        "model": "nginx controller",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "f5",
        "version": "2.0.0 \u304b\u3089 2.9.0"
      },
      {
        "model": "nginx controller",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "f5",
        "version": "3.0.0 \u304b\u3089 3.5.0"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007466"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5909"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:f5:nginx_controller",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007466"
      }
    ]
  },
  "cve": "CVE-2020-5909",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "CVE-2020-5909",
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.0,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 5.8,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-007466",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "VHN-184034",
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.8,
            "id": "CVE-2020-5909",
            "impactScore": 2.5,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 5.4,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-007466",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2020-5909",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2020-007466",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202007-105",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-184034",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-184034"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007466"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-105"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5909"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified. NGINX Controller Exists in a certificate validation vulnerability.Information may be obtained and tampered with. F5 NGINX Controller is a centralized monitoring and management platform for NGINX from F5 Corporation in the United States. The platform supports managing multiple NGINX instances using a visual interface. F5 NGINX Controller version 1.0.1, version 2.0.0 to version 2.9.0 and version 3.0.0 to version 3.5.0 have a security vulnerability. The vulnerability is caused by the program not correctly validating the server TLS certificate. An attacker could exploit this vulnerability to intercept the communication channel and read or modify data in transit",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-5909"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007466"
      },
      {
        "db": "VULHUB",
        "id": "VHN-184034"
      }
    ],
    "trust": 1.71
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-5909",
        "trust": 2.5
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007466",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-105",
        "trust": 0.7
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.2264",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-184034",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-184034"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007466"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-105"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5909"
      }
    ]
  },
  "id": "VAR-202007-1400",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-184034"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-11-23T21:51:24.825000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "K31150658",
        "trust": 0.8,
        "url": "https://support.f5.com/csp/article/K31150658"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007466"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-295",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-184034"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007466"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5909"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "https://support.f5.com/csp/article/k31150658"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-5909"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5909"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.2264/"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-184034"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007466"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-105"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5909"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-184034"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007466"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-105"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-5909"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-07-02T00:00:00",
        "db": "VULHUB",
        "id": "VHN-184034"
      },
      {
        "date": "2020-08-14T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-007466"
      },
      {
        "date": "2020-07-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202007-105"
      },
      {
        "date": "2020-07-02T13:15:10.310000",
        "db": "NVD",
        "id": "CVE-2020-5909"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-07-08T00:00:00",
        "db": "VULHUB",
        "id": "VHN-184034"
      },
      {
        "date": "2020-08-14T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-007466"
      },
      {
        "date": "2022-03-15T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202007-105"
      },
      {
        "date": "2024-11-21T05:34:48.597000",
        "db": "NVD",
        "id": "CVE-2020-5909"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-105"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "NGINX Controller Certificate validation vulnerabilities in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007466"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "trust management problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202007-105"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-5909 (GCVE-0-2020-5909)

CNVD-2021-18398

FKIE_CVE-2020-5909

GHSA-989X-V562-XR5M

GSD-2020-5909

VAR-202007-1400

Tags

Sightings

Nomenclature