Description

NGINX Plus is a software load balancer, web server, and content cache built on top of open source NGINX. NGINX Plus has exclusive enterprise grade features beyond what's available in the open source offering, including session persistence, configuration via API, and active health checks.

NGINX+ contains a ngx_http_upstream_conf_module module. The ngx_http_upstream_conf_module module allows configuring upstream server groups on-the-fly via a simple HTTP interface without the need of restarting NGINX+. Acunetix determined that it was possible to access this HTTP interface without authentication.

It's recommended to restrict access to the NGINX+ Upstream HTTP interface as it may be used to make changes to your NGINX+ configuration.

Remediation

Restrict access to the NGINX+ Upstream HTTP interface.

References

Module ngx_http_upstream_conf_module

Related Vulnerabilities

Ruby on Rails Running in Development Mode

Unencrypted __VIEWSTATE parameter

WordPress Plugin Video Embed & Thumbnail Generator Information Disclosure (1.1)

WordPress Plugin Backup Migration Information Disclosure (1.2.8)

Plone CMS Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-21336)

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Tags

Information Disclosure