PT-2021-7435 · Nginx · Nginx Controller
Published
2021-06-01
·
Updated
2022-08-30
·
CVE-2021-23019
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
NGINX Controller versions 2.0.0 through 2.9.0
NGINX Controller versions 3.x before 3.15.0
Description
The issue is related to insufficient protection of registration data, which may allow an attacker to disclose protected information. Specifically, the Administrator password may be exposed in the systemd.txt file included in the NGINX support package.
Recommendations
For NGINX Controller versions 2.0.0 through 2.9.0, update to version 3.15.0 or later to resolve the issue.
For NGINX Controller versions 3.x before 3.15.0, update to version 3.15.0 or later to resolve the issue.
As a temporary workaround, consider restricting access to the systemd.txt file to minimize the risk of exploitation.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nginx Controller