CVE-2024-23827
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
29/01/2024
Last modified:
08/02/2024
Description
Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:nginxui:nginx_ui:1.2.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.2.0:alpha2:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.2.0:alpha3:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.2.0:alpha4:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.2.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.2.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.2.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.2.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.3.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.3.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.3.1:-:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.3.1:fix:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.3.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:nginxui:nginx_ui:1.3.3:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page