CVE-2022-31137

Name of the Vulnerable Software and Affected Versions Roxy-WI versions prior to 6.1.1.0

Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The issue arises from the subprocess execute function in the /app/options.py file, which does not properly process user input, allowing system commands to be executed remotely without authentication. This enables attackers to run arbitrary code on the system.

Recommendations For versions prior to 6.1.1.0, it is recommended to upgrade to a newer version to resolve the issue. As a temporary workaround, consider restricting access to the subprocess execute function in the /app/options.py file until a patch is available. Additionally, avoid using the subprocess execute function without proper input validation to minimize the risk of exploitation. At the moment, there is no information about other mitigation measures for this vulnerability.