CVE-2024-22198

2024-01-1120:15:45

Google

osv.dev

nginx-ui

arbitrary command execution

configuration settings

remote code execution

information disclosure

vulnerability

patched version

7.1 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

69.4%

JSON

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The Home > Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. While the UI doesn’t allow users to modify the Terminal Start Command setting, it is possible to do so by sending a request to the API. This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. This vulnerability has been patched in version 2.0.0.beta.9.

CPENameOperatorVersion
nginx-uieq1.2.0-rc.3
nginx-uieq2.0.0-beta.6-patch
nginx-uieq1.5.0-beta4-fix
nginx-uieq1.3.0-rc1
nginx-uieq1.3.1-fix
nginx-uieq1.8.4-patch
nginx-uieq1.4.0-rc1
nginx-uieq2.0.0-beta.8
nginx-uieq1.2.0-alpha.4
nginx-uieq1.5.0-beta8

Name	Operator	Version
nginx-ui	eq	1.2.0-rc.3
nginx-ui	eq	2.0.0-beta.6-patch
nginx-ui	eq	1.5.0-beta4-fix
nginx-ui	eq	1.3.0-rc1
nginx-ui	eq	1.3.1-fix
nginx-ui	eq	1.8.4-patch
nginx-ui	eq	1.4.0-rc1
nginx-ui	eq	2.0.0-beta.8
nginx-ui	eq	1.2.0-alpha.4
nginx-ui	eq	1.5.0-beta8