PT-2020-2709 · Nginx · Nginx Controller

Published

2020-05-06

Updated

2022-07-12

CVE-2020-5895

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions NGINX Controller versions 3.1.0 through 3.3.0

Description The issue is related to a buffer overflow in memory, which can allow an attacker to execute arbitrary code. On the local system, processes or users can write arbitrary data into the socket due to world-readable and world-writable permissions, potentially causing a segmentation fault by writing malformed messages to the socket.

Recommendations For NGINX Controller versions 3.1.0 through 3.3.0, consider restricting access to the socket to prevent local system attackers from writing arbitrary data into it. As a temporary workaround, restrict the use of the AVRD socket until a patch is available.

Fix

Buffer Overflow

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119CWE-732

Related Identifiers

BDU:2020-02785

CVE-2020-5895

Affected Products

Nginx Controller

PT-2020-2709 · Nginx · Nginx Controller

CVE-2020-5895

Weakness Enumeration

Related Identifiers

Affected Products

References · 8