It was reported , that nginx does not verify the identity of an origin server when the http proxy module talks to that origin server over HTTPS. This could allow for a MITM attack between the proxy and the origin server.
There are proposed patches attached to the upstream ticket, but as of yet this is not fixed in any release.
Created nginx tracking bugs for this issue
Affects: epel-all [bug 892032]
Affects: fedora-all [bug 892033]
Upstream apparently do not consider this important enough to fix. Since the upstream bug was originally reported 2 yeas ago, closing as WONTFIX for now until upstream decide they want to patch it.
This has been fixed by upstream:
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.