PT-2024-1362 · Nginx-Ui · Nginx-Ui

Elleuch-X1

Published

2024-01-22

Updated

2024-06-28

CVE-2024-23828

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Nginx-UI versions prior to v2.0.0-beta.12

Description The issue is related to the Nginx UI server's app.ini configuration file, where special elements are not properly neutralized when processing the test config cmd and start cmd parameters. This can be exploited by a remote attacker to execute arbitrary code. The vulnerability allows for authenticated remote code execution on the host.

Recommendations For versions prior to v2.0.0-beta.12, update to version v2.0.0-beta.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the app.ini configuration file to prevent injection of malicious values into the test config cmd and start cmd parameters. Avoid using the test config cmd and start cmd parameters in the affected API endpoints until the issue is resolved.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-93CWE-74

Related Identifiers

BDU:2024-00816

CVE-2024-23828

GHSA-QCJQ-7F7V-PVC8

GO-2024-2480

Affected Products

Nginx-Ui

PT-2024-1362 · Nginx-Ui · Nginx-Ui

CVE-2024-23828

Weakness Enumeration

Related Identifiers

Affected Products

References · 12