CVE-2024-23828

2024-01-2917:15:10

CWE-74

[email protected]

web.nvd.nist.gov

nginx-ui

web interface

nginx configurations

vulnerability

authenticated

command execution

crlf attack

incomplete fix

patched

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.7%

JSON

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to an authenticated arbitrary command execution via CRLF attack when changing the value of test_config_cmd or start_cmd. This vulnerability exists due to an incomplete fix for CVE-2024-22197 and CVE-2024-22198. This vulnerability has been patched in version 2.0.0.beta.12.

Affected configurations

Vulners

NVD

Node

0xjackynginx_uiRange<0.0.beta.12

CPENameOperatorVersion
nginxui:nginx_uinginxui nginx uilt2.0.0

CPE	Name	Operator	Version
nginxui:nginx_ui	nginxui nginx ui	lt	2.0.0

CNA Affected

[
  {
    "vendor": "0xJacky",
    "product": "nginx-ui",
    "versions": [
      {
        "version": "< v2.0.0.beta.12",
        "status": "affected"
      }
    ]
  }
]