CVE-2024-22196
published 2024-01-11CVE-2024-22196: Nginx-UI is an online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to…
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.58%
43.5th percentile
Nginx-UI is an online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using `DefaultQuery`, the `"desc"` and `"id"` values are used as default values if the query parameters are not set. Thus, the `order` and `sort_by` query parameter are user-controlled and are being appended to the `order` variable without any sanitization. This issue has been patched in version 2.0.0.beta.9.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 0xjacky | nginx-ui | < 2.0.0.beta.9 | 2.0.0.beta.9 |
| github.com | 0xjacky_nginx-ui | >= 0 < 2.0.0.beta.9 | 2.0.0.beta.9 |
| github.com | 0xjacky_nginx-ui | >= 0 < 1.9.10-0.20231219195202-ec93ab05a3ec | 1.9.10-0.20231219195202-ec93ab05a3ec |
| nginxui | nginx_ui | < 2.0.0 | 2.0.0 |
| nginxui | nginx_ui | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SQL injection in github.com/0xJacky/Nginx-UI
osv·2024-01-17
CVE-2024-22196 SQL injection in github.com/0xJacky/Nginx-UI
SQL injection in github.com/0xJacky/Nginx-UI
SQL injection in github.com/0xJacky/Nginx-UI
OSV
Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)
osv·2024-01-11
CVE-2024-22196 [HIGH] Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)
Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)
### Summary
The [`OrderAndPaginate`](https://github.com/0xjacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/model/model.go#L99C4) function is used to order and paginate data. It is defined as follows:
```go
func OrderAndPaginate(c *gin.Context) func(db *gorm.DB) *gorm.DB {
return func(db *gorm.DB) *gorm.DB {
sort := c.DefaultQuery("order", "desc")
order := fmt.Sprintf("`%s` %s", DefaultQuery(c, "sort_by", "id"), sort)
db = db.Order(order)
...
}
}
```
By using [`DefaultQuery`](https://github.com/0xjacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/model/model.go#L278-L287), the `"desc"` and `"id"` values are used as default values if the query parameters are not set. Thus, the `order` and `
GHSA
Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)
ghsa·2024-01-11
CVE-2024-22196 [HIGH] CWE-89 Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)
Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)
### Summary
The [`OrderAndPaginate`](https://github.com/0xjacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/model/model.go#L99C4) function is used to order and paginate data. It is defined as follows:
```go
func OrderAndPaginate(c *gin.Context) func(db *gorm.DB) *gorm.DB {
return func(db *gorm.DB) *gorm.DB {
sort := c.DefaultQuery("order", "desc")
order := fmt.Sprintf("`%s` %s", DefaultQuery(c, "sort_by", "id"), sort)
db = db.Order(order)
...
}
}
```
By using [`DefaultQuery`](https://github.com/0xjacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/model/model.go#L278-L287), the `"desc"` and `"id"` values are used as default values if the query parameters are not set. Thus, the `order` and `
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/0xJacky/nginx-ui/commit/ec93ab05a3ecbb6bcf464d9dca48d74452df8a5bhttps://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h374-mm57-879chttps://github.com/0xJacky/nginx-ui/commit/ec93ab05a3ecbb6bcf464d9dca48d74452df8a5bhttps://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h374-mm57-879c
2024-01-11
Published