CVE-2024-23827

State: PUBLISHED · Published: 2024-01-29 · Updated: 2024-11-12 · Assigner: GitHub_M

Description

Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue.

CWE

CWE-22 — CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected

0xJacky / nginx-ui — v=< 2.0.0.beta.12 [affected]

CVSS

3.1 score=9.8 severity=CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m x_refsource_CONFIRM

Source

cvelistV5-main/cves/2024/23xxx/CVE-2024-23827.json