Описание
Default Credentials in nginx-defender Configuration Files
Impact
This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files
config.yaml, docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections.
Who is impacted? All users who deploy nginx-defender with default credentials and expose the admin interface to untrusted networks.
Patches
The issue is addressed in v1.5.0 and later.
Startup warnings are added if default credentials are detected. Documentation now strongly recommends changing all default passwords before deployment. Patched versions: 1.5.0 and later Will be fully patched in v1.7.0 and later
Workarounds
Users can remediate the vulnerability without upgrading by manually changing all default credentials in configuration files before deployment:
Restrict access to the admin interface and use environment variables for secrets.
References
Пакеты
github.com/Anipaleja/nginx-defender
< 1.5.0
1.5.0
Связанные уязвимости
nginx-defender is a high-performance, enterprise-grade Web Application Firewall (WAF) and threat detection system engineered for modern web infrastructure. This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml and docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections. The issue is addressed in v1.5.0 and later.