PT-2025-38296 · Nginx+2 · Nginx+2
Published
2025-09-18
·
Updated
2025-10-26
·
CVE-2023-49564
CVSS v3.1
8.8
High
| Vector | AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
CBIS/NCS Manager (affected versions not specified)
Description
The CBIS/NCS Manager API is susceptible to an authentication bypass. An unauthenticated user can gain unauthorized access to API functions by sending a specially crafted HTTP header. This allows attackers to reach restricted or sensitive endpoints of the HTTP API without valid credentials due to a weak verification mechanism within the authentication implementation. The vulnerability resides in the Nginx Podman container on the CBIS/NCS Manager host machine. Restricting access to the management network using an external firewall can partially mitigate the risk.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cbis/Ncs Manager
Nginx
Podman