CVE-2024-22196

2024-01-1120:15:44

CWE-89

[email protected]

web.nvd.nist.gov

nginx-ui

server statistics

monitor

cve-2024-22196

information disclosure

defaultquery

patch

version 2.0.0.beta.9

7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

6.2 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.2%

JSON

Nginx-UI is an online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using DefaultQuery, the "desc" and "id" values are used as default values if the query parameters are not set. Thus, the order and sort_by query parameter are user-controlled and are being appended to the order variable without any sanitization. This issue has been patched in version 2.0.0.beta.9.

Affected configurations

Vulners

NVD

Node

0xjackynginx_uiRange<2.0.0.beta.9

CPENameOperatorVersion
nginxui:nginx_uinginxui nginx uilt2.0.0

CPE	Name	Operator	Version
nginxui:nginx_ui	nginxui nginx ui	lt	2.0.0

CNA Affected

[
  {
    "vendor": "0xJacky",
    "product": "nginx-ui",
    "versions": [
      {
        "version": "< 2.0.0.beta.9",
        "status": "affected"
      }
    ]
  }
]