CVE-2023-28724 HIGH

CVE-2023-28724: NGINX Management Suite vulnerability

Vendor F5

Product NGINX Instance Manager

Weakness CWE-276

Published May 3, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

Description

NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Key dates

Disclosure timeline

May 3, 2023 CVE published

February 13, 2025 Record updated

Identifiers

CVE CVE-2023-28724

CWE CWE-276

CVSS 7.1 / HIGH

Affected versions

Vendor F5

Product NGINX Instance Manager

Affected ≥ 2.0.0 and < 2.9.0

Vendor F5

Product NGINX Instance Manager

Affected ≥ 1.0.0 and < *

Vendor F5

Product NGINX API Connectivity Manager

Affected ≥ 1.0.0 and < 1.5.0

Vendor F5

Product NGINX Security Monitoring

Affected ≥ 1.0.0 and < 1.3.0