cbcvebase.
CVE-2024-22197
published 2024-01-11

CVE-2024-22197: Nginx-ui is online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. The `Home > Preference` page…

PriorityP356high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.54%
71.7th percentile
Nginx-ui is online statistics for Server Indicators​​ Monitor CPU usage, memory usage, load average, and disk usage in real-time. The `Home > Preference` page exposes a small list of nginx settings such as `Nginx Access Log Path` and `Nginx Error Log Path`. However, the API also exposes `test_config_cmd`, `reload_cmd` and `restart_cmd`. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sending a request to the API. This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure. This issue has been patched in version 2.0.0.beta.9.

Affected

5 ranges
VendorProductVersion rangeFixed in
0xjackynginx-ui< v2.0.0.beta.12v2.0.0.beta.12
github.com0xjacky_nginx-ui>= 0 < 2.0.0.beta.92.0.0.beta.9
github.com0xjacky_nginx-ui>= 0 < 1.9.10-0.20231219184941-827e76c46e631.9.10-0.20231219184941-827e76c46e63
nginxuinginx_ui< 2.0.02.0.0
nginxuinginx_ui
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.