A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
| Vendor | Product | Versions | Fixed In |
|---|---|---|---|
| f5 | nginx_gateway_fabric | 1.2.0 - 1.6.2 | - |
| f5 | nginx_gateway_fabric | 2.0.0 - 2.4.1 | - |
| f5 | nginx_ingress_controller |
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
21
Affected Products
2
References
f5 / nginx_gateway_fabric
| 3.4.0 - 3.7.2 |
| - |
| f5 | nginx_ingress_controller | 4.0.0 - 4.0.1 | - |
| f5 | nginx_ingress_controller | 5.0.0 - 5.3.3 | - |
| f5 | nginx_instance_manager | 2.15.1 - 2.21.0 | - |
| f5 | nginx_open_source | 1.3.0 - 1.28.2 | - |
| f5 | nginx_open_source | 1.29.0 - 1.29.5 | - |
| f5 | nginx_plus | r33 - r35 | - |
| f5 | nginx_plus | - | - |
| f5 | nginx_plus | - | - |
| f5 | nginx_plus | - | - |
| f5 | nginx_plus | - | - |
| f5 | nginx_plus | - | - |
| f5 | nginx_plus | - | - |
| f5 | nginx_plus | - | - |
| f5 | nginx_plus | - | - |
| f5 | nginx_plus | - | - |
| f5 | nginx_plus | - | - |
| f5 | nginx_plus | - | - |
| f5 | nginx_plus | - | - |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Exploitability
Impact