CVE-2020-5867
HIGHCVSS 8.1/10EPSS 0.40%
Last modified
CVE-2020-5867 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages. EPSS estimates a 0.40% chance of exploitation in the next 30 days.
Description
In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| F5 | Nginx Controller | >= 2.0.0, <= 2.9.0 |
| F5 | Nginx Controller | >= 3.0.0, < 3.3.0 |
| F5 | Nginx Controller | 1.0.1 |
| Netapp | Cloud Backup | All versions |
References
- https://security.netapp.com/advisory/ntap-20200430-0005/Third Party Advisory
- https://support.f5.com/csp/article/K00958787Vendor Advisory
- https://security.netapp.com/advisory/ntap-20200430-0005/Third Party Advisory
- https://support.f5.com/csp/article/K00958787Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-5867?
In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages
How severe is CVE-2020-5867?
CVE-2020-5867 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 0.40% probability of exploitation in the next 30 days.
How do I fix CVE-2020-5867?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2020-5867?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST