Privilege escalation on Nginx Controller < 3.1.x

Privilege escalation on Nginx Controller < 3.1.x

Posted by Peter Bassill on 30/03/2020

A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.

Manipulation with an unknown input leads to a privilege escalation vulnerability, with a CWE definition of CWE-269.

Released on the 27th of March 2020, this vulnerability has been designated CVE-2020-5863 and it requires no authentication to be exploited.

Technical information for this vulnerability can be found on our SCHAN project's vulnerability database. Search the CVE number (and any others) here:

Whilst no technical details are publicly available, if you would like help with this vulnerability and management of vulnerabilities in general, please feel free to contact us at any time.

Upgrading to version 3.2.0 will eliminate this vulnerability.

Hedgehog Security is a full service Cyber Security consultancy. We are available at all times for all your Penetration Testing requirements. Hedgehog Security is here to help.

Contact us

  • Worklab, Europort, Gibraltar

  • +350 540 73836