CVE-2024-22198 Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)

2024-01-1119:38:27

CWE-77

GitHub_M

github.com

cve-2024-22198

authenticated

nginx-ui

command execution

configuration settings

remote code execution

privilege escalation

information disclosure

patched

ghsl-2023-268

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

AI Score

7.1

Confidence

Low

EPSS

0.004

Percentile

74.3%

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The Home > Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. While the UI doesn’t allow users to modify the Terminal Start Command setting, it is possible to do so by sending a request to the API. This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. This vulnerability has been patched in version 2.0.0.beta.9.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*"
    ],
    "vendor": "nginxui",
    "product": "nginx_ui",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "2.0.0.beta.8",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta9:*:*:*:*:*:*"
    ],
    "vendor": "nginxui",
    "product": "nginx_ui",
    "versions": [
      {
        "status": "unaffected",
        "version": "2.0.0"
      }
    ],
    "defaultStatus": "unknown"
  }
]