cbcvebase.
CVE-2024-43804
published 2024-08-29

CVE-2024-43804: Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. An OS Command Injection vulnerability allows any authenticated user on…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.54%
83.0th percentile
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. An OS Command Injection vulnerability allows any authenticated user on the application to execute arbitrary code on the web application server via port scanning functionality. User-supplied input is used without validation when constructing and executing an OS command. User supplied JSON POST data is parsed and if "id" JSON key does not exist, JSON value supplied via "ip" JSON key is assigned to the "ip" variable. Later on, "ip" variable which can be controlled by the attacker is used when constructing the cmd and cmd1 strings without any extra validation. Then, server_mod.subprocess_execute function is called on both cmd1 and cmd2. When the definition of the server_mod.subprocess_execute() function is analyzed, it can be seen that subprocess.Popen() is called on the input parameter with shell=True which results in OS Command Injection. This issue has not yet been patched. Users are advised to contact the Roxy-WI to coordinate a fix.

Affected

2 ranges
VendorProductVersion rangeFixed in
roxy-wiroxy-wi<= 8.0
roxy-wiroxy-wi

Detection & IOCsextracted from sources · hover to see the quote

  • OS Command Injection via the 'ip' JSON key in a POST request to the port scanning functionality; user-supplied value is passed unsanitized into a shell command constructed as cmd/cmd1 strings, then executed via subprocess.Popen() with shell=True
  • Sink is subprocess.Popen() called with shell=True on attacker-controlled input; monitor for anomalous child processes spawned by the Roxy-WI web application process
  • Any authenticated user can trigger the vulnerability; alert on authenticated POST requests to the port scanning endpoint containing an 'ip' JSON key with shell metacharacters (e.g., ;, |, $(), backticks)
  • ·No patch was available at time of disclosure; users were advised to contact Roxy-WI to coordinate a fix

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_oracle8.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.