CVE-2024-22197
published 2024-01-11CVE-2024-22197: Nginx-ui is online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. The `Home > Preference` page…
PriorityP356high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.54%
71.7th percentile
Nginx-ui is online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. The `Home > Preference` page exposes a small list of nginx settings such as `Nginx Access Log Path` and `Nginx Error Log Path`. However, the API also exposes `test_config_cmd`, `reload_cmd` and `restart_cmd`. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sending a request to the API. This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure. This issue has been patched in version 2.0.0.beta.9.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 0xjacky | nginx-ui | < v2.0.0.beta.12 | v2.0.0.beta.12 |
| github.com | 0xjacky_nginx-ui | >= 0 < 2.0.0.beta.9 | 2.0.0.beta.9 |
| github.com | 0xjacky_nginx-ui | >= 0 < 1.9.10-0.20231219184941-827e76c46e63 | 1.9.10-0.20231219184941-827e76c46e63 |
| nginxui | nginx_ui | < 2.0.0 | 2.0.0 |
| nginxui | nginx_ui | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Remote command execution in github.com/0xJacky/Nginx-UI
osv·2024-01-17
CVE-2024-22197 Remote command execution in github.com/0xJacky/Nginx-UI
Remote command execution in github.com/0xJacky/Nginx-UI
Remote command execution in github.com/0xJacky/Nginx-UI
OSV
Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)
osv·2024-01-11
CVE-2024-22197 [HIGH] Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)
Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)
### Summary
The `Home > Preference` page exposes a small list of nginx settings such as `Nginx Access Log Path` and `Nginx Error Log Path`. However, the API also exposes `test_config_cmd`, `reload_cmd` and `restart_cmd`. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sending a request to the [API](https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/system/router.go#L13).
```go
func InitPrivateRouter(r *gin.RouterGroup) {
r.GET("settings", GetSettings)
r.POST("settings", SaveSettings)
...
}
```
The [`SaveSettings`](https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/system/settings.
GHSA
Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)
ghsa·2024-01-11
CVE-2024-22197 [HIGH] CWE-77 Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)
Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)
### Summary
The `Home > Preference` page exposes a small list of nginx settings such as `Nginx Access Log Path` and `Nginx Error Log Path`. However, the API also exposes `test_config_cmd`, `reload_cmd` and `restart_cmd`. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sending a request to the [API](https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/system/router.go#L13).
```go
func InitPrivateRouter(r *gin.RouterGroup) {
r.GET("settings", GetSettings)
r.POST("settings", SaveSettings)
...
}
```
The [`SaveSettings`](https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/system/settings.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/0xJacky/nginx-ui/commit/827e76c46e63c52114a62a899f61313039c754e3https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-pxmr-q2x3-9x9mhttps://github.com/0xJacky/nginx-ui/commit/827e76c46e63c52114a62a899f61313039c754e3https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-pxmr-q2x3-9x9m
2024-01-11
Published