A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attackers control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Weakness
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Nginx_gateway_fabric | F5 | 1.2.0 (including) | 1.6.2 (including) |
| Nginx_gateway_fabric | F5 | 2.0.0 (including) | 2.4.1 (excluding) |
| Nginx_ingress_controller | F5 | 3.4.0 (including) | 3.7.2 (including) |
| Nginx_ingress_controller | F5 | 4.0.0 (including) | 4.0.1 (including) |
| Nginx_ingress_controller | F5 | 5.0.0 (including) | 5.3.3 (excluding) |
| Nginx_instance_manager | F5 | 2.15.1 (including) | 2.21.0 (including) |
| Nginx_open_source | F5 | 1.3.0 (including) | 1.28.2 (excluding) |
| Nginx_open_source | F5 | 1.29.0 (including) | 1.29.5 (excluding) |
| Nginx_plus | F5 | r33 (including) | r35 (excluding) |
| Nginx_plus | F5 | r32 (including) | r32 (including) |
| Nginx_plus | F5 | r32-p1 (including) | r32-p1 (including) |
| Nginx_plus | F5 | r32-p2 (including) | r32-p2 (including) |
| Nginx_plus | F5 | r32-p3 (including) | r32-p3 (including) |
| Nginx_plus | F5 | r33-p1 (including) | r33-p1 (including) |
| Nginx_plus | F5 | r33-p2 (including) | r33-p2 (including) |
| Nginx_plus | F5 | r33-p3 (including) | r33-p3 (including) |
| Nginx_plus | F5 | r34-p1 (including) | r34-p1 (including) |
| Nginx_plus | F5 | r34-p2 (including) | r34-p2 (including) |
| Nginx_plus | F5 | r35 (including) | r35 (including) |
| Nginx_plus | F5 | r36 (including) | r36 (including) |
| Nginx_plus | F5 | r36-p1 (including) | r36-p1 (including) |
| Nginx | Ubuntu | devel | * |
| Nginx | Ubuntu | jammy | * |
| Nginx | Ubuntu | noble | * |
| Nginx | Ubuntu | questing | * |
| Nginx | Ubuntu | upstream | * |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/141.html
- https://cwe.mitre.org/data/definitions/142.html
- https://cwe.mitre.org/data/definitions/75.html