CVE-2024-22198 Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)

2024-01-1119:38:27

CWE-77

GitHub_M

www.cve.org

nginx-ui

authenticated

command execution

vulnerability

patched

version 2.0.0.beta.9

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

9 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.6%

JSON

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The Home > Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. While the UI doesn’t allow users to modify the Terminal Start Command setting, it is possible to do so by sending a request to the API. This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. This vulnerability has been patched in version 2.0.0.beta.9.

CNA Affected

[
  {
    "vendor": "0xJacky",
    "product": "nginx-ui",
    "versions": [
      {
        "version": "< 2.0.0.beta.9",
        "status": "affected"
      }
    ]
  }
]