Privilege escalation on Nginx Controller up to 3.1.x Controller API

A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.

Manipulation with an unknown input leads to a privilege escalation vulnerability, with a CWE definition of CWE-269.

Released on the 27th of March 2020, this vulnerability has been designated CVE-2020-5863 and it requires no authentication to be exploited.

Technical information for this vulnerability can be found on our SCHAN project’s vunerability database. Seach the CVE number (and any others) here: https://www.hedgehogsecurity.co.uk/vulnerability-database/

Whilst no technical details are publicly available, if you would like help with this vulnerability and management of vulnerabilites in general, please feel free to contact us at any time.

Upgrading to version 3.2.0 will eliminate this vulnerabiltiy.