CVE-2024-22196

Name of the Vulnerable Software and Affected Versions Nginx-UI versions prior to 2.0.0.beta.9

Description The issue is related to a lack of protection against SQL query structure exploitation in the Nginx UI server. This may allow a remote attacker to gain unauthorized access to protected information. The problem leads to information disclosure, where user-controlled query parameters order and sort by are appended to the order variable without sanitization, using DefaultQuery with default values for "desc" and "id".

Recommendations For versions prior to 2.0.0.beta.9, update to version 2.0.0.beta.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the order and sort by query parameters in the affected API endpoint until a patch is available. Avoid using the DefaultQuery with default values for "desc" and "id" in the affected API endpoint until the issue is resolved.