CVE-2023-28656

Published: May 3, 2023Modified: May 19, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected (5)

Products: Netapp: Cloud Backup, Ontap Select Deploy · F5: Nginx Api Connectivity Manager, Nginx Instance Manager, Nginx Security Monitoring

Netapp

2 products

Cloud Backup

Ontap Select Deploy

3 products

Nginx Api Connectivity Manager

Nginx Instance Manager

Nginx Security Monitoring

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Netapp Cloud Backup	All versions
Netapp Ontap Select Deploy	All versions

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
F5 Nginx Api Connectivity Manager	From 1.0.0 to 1.5.0
F5 Nginx Instance Manager	From 2.0.0 to 2.9.0
F5 Nginx Security Monitoring	From 1.0.0 to 1.3.0

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://my.f5.com/manage/s/article/K000133417

Source: f5sirt@f5.com

Vendor Advisory

https://security.netapp.com/advisory/ntap-20230609-0006/

Source: f5sirt@f5.com

Third Party Advisory

https://my.f5.com/manage/s/article/K000133417

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.netapp.com/advisory/ntap-20230609-0006/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.