Hap-Wi Roxy-Wi vulnerabilities
8 known vulnerabilities affecting hap-wi/roxy-wi.
Total CVEs
8
CISA KEV
0
Public exploits
4
Exploited in wild
3
Severity breakdown
CRITICAL4HIGH2MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2022-31137P1CRITICALCVSS 9.8ExploitedPoCfixed in 6.1.1.02022-07-08
CVE-2022-31137 [CRITICAL] CWE-78 CVE-2022-31137: Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prio
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authent
nvd
CVE-2022-31126P1CRITICALCVSS 9.8ExploitedPoCfixed in 6.1.1.02022-07-06
CVE-2022-31126 [CRITICAL] CWE-74 CVE-2022-31126: Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers.
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to code execution by sending a specially crafted HTTP request to /app/options.py file. This affects Roxy-wi versions before 6.1.1.0. Users are advised to upgrade. There are no known
nvd
CVE-2022-31161P1CRITICALCVSS 9.8ExploitedPoCfixed in 6.1.1.02022-07-15
CVE-2022-31161 [CRITICAL] CWE-77 CVE-2022-31161: Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.
Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue.
nvd
CVE-2022-31125P1CRITICALCVSS 9.8PoCfixed in 6.1.1.02022-07-06
CVE-2022-31125 [CRITICAL] CWE-287 CVE-2022-31125: Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers.
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This affects Roxywi versions before 6.1.1.0. Users are advised to upgrade. There
nvd
CVE-2023-25803P3HIGHCVSS 7.5fixed in 6.3.5.02023-03-13
CVE-2023-25803 [HIGH] CWE-22 CVE-2023-25803: Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions pri
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a directory traversal vulnerability that allows the inclusion of server-side files. This issue is fixed in version 6.3.5.0.
nvd
CVE-2023-25802P3HIGHCVSS 7.5fixed in 6.3.6.02023-03-13
CVE-2023-25802 [HIGH] CWE-22 CVE-2023-25802: Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions pri
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize `dir/../filename` sequences, such as `/etc/nginx/../passwd`, allowing an actor to gain information about a server. Version 6.3.6.0 has a patch for this issue.
nvd
CVE-2023-29004P3MEDIUMCVSS 6.5≤ 6.3.9.02023-04-17
CVE-2023-29004 [MEDIUM] CWE-22 CVE-2023-29004: hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A Path
hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to /app/options.py and the config_file_name parameter. Successful exploitation o
nvd
CVE-2023-25804P4MEDIUMCVSS 5.3fixed in 6.3.5.02023-03-15
CVE-2023-25804 [MEDIUM] CWE-22 CVE-2023-25804: Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions pri
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a limited path traversal vulnerability. An SSH key can be saved into an unintended location, for example the `/tmp` folder using a payload `../../../../../tmp/test111_dev`. This issue has been fixed in version 6.3.5.0.
nvd