CVE-2022-23008

Published: Jan 25, 2022Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected (1)

Products: F5: Nginx Controller Api Management

1 product

Nginx Controller Api Management

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
F5 Nginx Controller Api Management	From 3.18.0 to 3.19.1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://support.f5.com/csp/article/K57735782

Source: f5sirt@f5.com

Vendor Advisory

https://support.f5.com/csp/article/K57735782

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.