CVE-2024-22198

11.01.2024, 20:15

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The `Home > Preference` page exposes a list of system settings such as `Run Mode`, `Jwt Secret`, `Node Secret` and `Terminal Start Command`. While the UI doesn't allow users to modify the `Terminal Start Command` setting, it is possible to do so by sending a request to the API. This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. This vulnerability has been patched in version 2.0.0.beta.9.

Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.1 HIGH	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
GitHub_M	CNA	7.1 HIGH	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 95%

Vendor	Product	Version
nginxui	nginx_ui	𝑥 < 2.0.0
nginxui	nginx_ui	2.0.0:beta1
nginxui	nginx_ui	2.0.0:beta2
nginxui	nginx_ui	2.0.0:beta3
nginxui	nginx_ui	2.0.0:beta4
nginxui	nginx_ui	2.0.0:beta4_patch
nginxui	nginx_ui	2.0.0:beta5
nginxui	nginx_ui	2.0.0:beta5_patch
nginxui	nginx_ui	2.0.0:beta6
nginxui	nginx_ui	2.0.0:beta6_patch
nginxui	nginx_ui	2.0.0:beta6_patch2
nginxui	nginx_ui	2.0.0:beta7
nginxui	nginx_ui	2.0.0:beta8
nginxui	nginx_ui	2.0.0:beta8_patch

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/system/settings.go#L18

https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/terminal/pty.go#L11

https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/internal/pty/pipeline.go#L29

https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/router/middleware.go#L45

https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/settings/server.go#L12

https://github.com/0xJacky/nginx-ui/commit/827e76c46e63c52114a62a899f61313039c754e3

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-8r25-68wm-jw35

https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/system/settings.go#L18

https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/terminal/pty.go#L11

https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/internal/pty/pipeline.go#L29

https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/router/middleware.go#L45

https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/settings/server.go#L12

https://github.com/0xJacky/nginx-ui/commit/827e76c46e63c52114a62a899f61313039c754e3

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-8r25-68wm-jw35