CVE-2024-22198

Name of the Vulnerable Software and Affected Versions Nginx-UI versions prior to 2.0.0.beta.9

Description The issue concerns arbitrary command execution by abusing configuration settings in Nginx-UI, a web interface for managing Nginx configurations. The Home > Preference page exposes system settings such as Run Mode, Jwt Secret, Node Secret, and Terminal Start Command. Although the UI does not allow modification of the Terminal Start Command setting, it is possible to modify it by sending a request to the API. This can lead to authenticated remote code execution, privilege escalation, and information disclosure.

Recommendations For versions prior to 2.0.0.beta.9, update to version 2.0.0.beta.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the Terminal Start Command setting and limiting the ability to send requests to the API that could modify this setting. Additionally, restrict access to the Home > Preference page to minimize the risk of exploitation.