CVE-2023-28656

NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://my.f5.com/manage/s/article/K000133417	Vendor Advisory
https://security.netapp.com/advisory/ntap-20230609-0006/
https://my.f5.com/manage/s/article/K000133417	Vendor Advisory
https://security.netapp.com/advisory/ntap-20230609-0006/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:f5:nginx_api_connectivity_manager::::::::
	cpe:2.3:a:f5:nginx_instance_manager::::::::
	cpe:2.3:a:f5:nginx_security_monitoring::::::::

History

13 Feb 2025, 17:16

Type	Values Removed	Values Added
Summary	(en) NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.	(en) NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Information

Published : 2023-05-03 15:15

Updated : 2025-02-13 17:16

NVD link : CVE-2023-28656

Mitre link : CVE-2023-28656

CVE.ORG link : CVE-2023-28656

JSON object : View

Products Affected

f5

nginx_security_monitoring
nginx_instance_manager
nginx_api_connectivity_manager

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2023-28656", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "f5sirt@f5.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2023-05-03T15:15:12.860", "references": [{"url": "https://my.f5.com/manage/s/article/K000133417", "tags": ["Vendor Advisory"], "source": "f5sirt@f5.com"}, {"url": "https://security.netapp.com/advisory/ntap-20230609-0006/", "source": "f5sirt@f5.com"}, {"url": "https://my.f5.com/manage/s/article/K000133417", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20230609-0006/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "f5sirt@f5.com", "description": [{"lang": "en", "value": "CWE-639"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "lastModified": "2025-02-13T17:16:16.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx_api_connectivity_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC45BFDB-391A-4EB6-B74E-1C80000B044F", "versionEndExcluding": "1.5.0", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EAEC7716-B3B5-4640-A094-38379425DB83", "versionEndExcluding": "2.9.0", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:f5:nginx_security_monitoring:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BBEBF811-2D7D-427C-805A-D430360C3FA3", "versionEndExcluding": "1.3.0", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "f5sirt@f5.com"}