Description
In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. The user which is created is only able to upload a new license to the system but cannot view or modify any other components of the system.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://support.f5.com/csp/article/K14631834
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200430-0005/
Scores
CVSS v3
8.6
EPSS
0.0111
EPSS Percentile
78.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Details
Status
published
Products (3)
f5/nginx_controller
1.0.1
f5/nginx_controller
2.0.0 - 2.9.0
netapp/cloud_backup
Published
Mar 27, 2020
Tracked Since
Feb 18, 2026