CRZ-003
Default nginx welcome page on production ALB
low
CVSS 3.1: 5.3 · Asset: widget.simulator.company
- Severity: Low
- CVSS 3.1:
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N→ 5.3 - CWE: CWE-1188 (Insecure Default Initialization of Resource), CWE-200
- Asset:
https://widget.simulator.company - Discovered: 2026-04-26
- Status: Open
Summary
widget.simulator.company is live on HTTPS with a valid
Let's-Encrypt-equivalent cert but serves the default nginx
welcome page — an "unfinished server" indicator. The hostname
is behind a production-shaped ALB
(mw-prod-control-1-id160-public-*.elb.eu-west-1.amazonaws.com),
so this is not just a dev/scratch host.
Reproduction
$ curl -sk https://widget.simulator.company/ | head -5
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>Impact
- Attack surface without business value. A live host on a production ALB that does nothing but serve default content is pure attack surface with zero user value — every CVE in nginx, every misconfiguration in the underlying workload, applies.
- Branding / trust signal. If a customer stumbles onto it, the default nginx page signals sloppy ops.
- Possible virtual host routing bug. The ALB routes
widget.simulator.companyto a pod that doesn't have a matching server block — investigate whether some other hostname is supposed to be routed here.
Remediation
- If
widget.simulator.companyis not used, remove the DNS record and the ALB listener rule. - If it IS used, fix the nginx/Ingress config so the correct app is served.
- Audit all ALB listener rules for hostnames that match default backends instead of real services.
References
- CWE-1188, CWE-200