CVE-2022-23008

Name of the Vulnerable Software and Affected Versions NGINX Controller API Management versions 3.18.0 through 3.19.0

Description An authenticated attacker with access to the user or admin role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances.

Recommendations For NGINX Controller API Management versions 3.18.0 through 3.19.0, consider restricting access to undisclosed API endpoints to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling JavaScript code execution on managed NGINX data plane instances until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.