Alpine: multiple nginx packages: security update to 1.28.2-r0

high Tenable Cloud Security Plugin ID 437571

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an
unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server
side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during
the NGINX SMTP authentication process and requires the attacker to make preparations against the target
system to extract the leaked data. The issue affects NGINX only if (1) it is built with the
ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the
authentication server returns the "Auth-Wait" response header. Note: Software versions which have reached
End of Technical Support (EoTS) are not evaluated. (CVE-2025-53859)

- A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer
Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server
side—along with conditions beyond the attacker's control—may be able to inject plain text data into the
response from an upstream proxied server. Note: Software versions which have reached End of Technical
Support (EoTS) are not evaluated. (CVE-2026-1642)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-53859

https://security.alpinelinux.org/vuln/CVE-2026-1642

Plugin Details

Severity: High

ID: 437571

Version: Revision 1.4

Type: Local

Published: 2/5/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2026-1642

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 4.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 8/13/2025

Reference Information

CVE: CVE-2025-53859, CVE-2026-1642

IAVA: 2025-A-0615