PT-2020-5282 · Nginx · Nginx Controller Agent
Published
2020-12-08
·
Updated
2022-08-06
·
CVE-2020-27730
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
NGINX Controller Agent versions 1.0.1, 2.0.0 through 2.9.0, 3.0.0 through 3.9.0
Description
The issue is related to the NGINX Controller Agent's failure to use absolute paths when calling system utilities, which can be exploited by a remote attacker to impact the confidentiality, integrity, and availability of protected information.
Recommendations
For version 1.0.1, update to a version that uses absolute paths when calling system utilities.
For versions 2.0.0 through 2.9.0, update to a version that uses absolute paths when calling system utilities.
For versions 3.0.0 through 3.9.0, update to a version that uses absolute paths when calling system utilities.
As a temporary workaround, consider restricting access to system utilities until a patch is available.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nginx Controller Agent