Details of VAR-202201-1272

ID

VAR-202201-1272

CVE

CVE-2022-23008

TITLE

NGINX Controller API Management Code injection vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-004155

DESCRIPTION

On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. The F5 NGINX Controller is a self-service, API-driven platform for managing NGINIX Plus that can be easily integrated into CI/CD workflows to speed application deployment and simplify application lifecycle management

Trust: 2.34

sources: NVD: CVE-2022-23008 // JVNDB: JVNDB-2022-004155 // CNVD: CNVD-2022-26843 // VULHUB: VHN-411879 // VULMON: CVE-2022-23008

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-26843

AFFECTED PRODUCTS

vendor:	f5	model:	nginx controller api management	scope:	lt	version:	3.19.1	Trust: 1.0
vendor:	f5	model:	nginx controller api management	scope:	gte	version:	3.18.0	Trust: 1.0
vendor:	f5	model:	nginx controller api management	scope:	eq	version:	3.18.0 to 3.19.0	Trust: 0.8
vendor:	f5	model:	nginx controller api management	scope:	eq	version:	-	Trust: 0.8
vendor:	f5	model:	nginx controller api management	scope:	gte	version:	3.18.0,<3.19.1	Trust: 0.6

sources: CNVD: CNVD-2022-26843 // JVNDB: JVNDB-2022-004155 // NVD: CVE-2022-23008

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-23008
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-23008
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-26843
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202201-2128
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-411879
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-23008
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-23008
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2022-26843
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-411879
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-23008
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2022-23008
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-26843 // VULHUB: VHN-411879 // VULMON: CVE-2022-23008 // JVNDB: JVNDB-2022-004155 // CNNVD: CNNVD-202201-2128 // NVD: CVE-2022-23008

PROBLEMTYPE DATA

problemtype:	CWE-94	Trust: 1.1
problemtype:	CWE-79	Trust: 1.0
problemtype:	Code injection (CWE-94) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-411879 // JVNDB: JVNDB-2022-004155 // NVD: CVE-2022-23008

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-2128

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202201-2128

PATCH

title:	K57735782	url:	https://my.f5.com/manage/s/article/K57735782	Trust: 0.8
title:	Patch for F5 NGINX Controller API Code Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/328916	Trust: 0.6
title:	NGINX Fixes for code injection vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=182121	Trust: 0.6
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: CNVD: CNVD-2022-26843 // VULMON: CVE-2022-23008 // JVNDB: JVNDB-2022-004155 // CNNVD: CNNVD-202201-2128

EXTERNAL IDS

db:	NVD	id:	CVE-2022-23008	Trust: 4.0
db:	JVNDB	id:	JVNDB-2022-004155	Trust: 0.8
db:	CNVD	id:	CNVD-2022-26843	Trust: 0.6
db:	CS-HELP	id:	SB2022012106	Trust: 0.6
db:	CNNVD	id:	CNNVD-202201-2128	Trust: 0.6
db:	VULHUB	id:	VHN-411879	Trust: 0.1
db:	VULMON	id:	CVE-2022-23008	Trust: 0.1

sources: CNVD: CNVD-2022-26843 // VULHUB: VHN-411879 // VULMON: CVE-2022-23008 // JVNDB: JVNDB-2022-004155 // CNNVD: CNNVD-202201-2128 // NVD: CVE-2022-23008

REFERENCES

url:	https://support.f5.com/csp/article/k57735782	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23008	Trust: 1.4
url:	https://www.cybersecurity-help.cz/vdb/sb2022012106	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: CNVD: CNVD-2022-26843 // VULHUB: VHN-411879 // VULMON: CVE-2022-23008 // JVNDB: JVNDB-2022-004155 // CNNVD: CNNVD-202201-2128 // NVD: CVE-2022-23008

SOURCES

db:	CNVD	id:	CNVD-2022-26843
db:	VULHUB	id:	VHN-411879
db:	VULMON	id:	CVE-2022-23008
db:	JVNDB	id:	JVNDB-2022-004155
db:	CNNVD	id:	CNNVD-202201-2128
db:	NVD	id:	CVE-2022-23008

LAST UPDATE DATE

2024-11-23T22:15:57.753000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-26843	date:	2022-04-07T00:00:00
db:	VULHUB	id:	VHN-411879	date:	2022-02-01T00:00:00
db:	VULMON	id:	CVE-2022-23008	date:	2023-06-27T00:00:00
db:	JVNDB	id:	JVNDB-2022-004155	date:	2023-03-23T06:01:00
db:	CNNVD	id:	CNNVD-202201-2128	date:	2023-06-28T00:00:00
db:	NVD	id:	CVE-2022-23008	date:	2024-11-21T06:47:47.630

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-26843	date:	2022-04-07T00:00:00
db:	VULHUB	id:	VHN-411879	date:	2022-01-25T00:00:00
db:	VULMON	id:	CVE-2022-23008	date:	2022-01-25T00:00:00
db:	JVNDB	id:	JVNDB-2022-004155	date:	2023-03-23T00:00:00
db:	CNNVD	id:	CNNVD-202201-2128	date:	2022-01-21T00:00:00
db:	NVD	id:	CVE-2022-23008	date:	2022-01-25T20:15:09