CVE-2024-22198
Published: 11 January 2024
Summary
CVE-2024-22198 is a high-severity Command Injection (CWE-77) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 7.1 (High).
Operationally, ranked in the top 5.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Nginx-UI is a web-based interface for managing Nginx configurations that is affected by an improper access control flaw tracked as CVE-2024-22198. The Home > Preference page surfaces sensitive settings including Run Mode, Jwt Secret, Node Secret, and Terminal Start Command; although the user interface prevents modification of the Terminal Start Command value, the underlying API endpoint accepts changes to it, enabling an attacker to supply an arbitrary command string that is later executed by the terminal subsystem.
An authenticated user with low-privileged access can exploit the issue over the network by directly invoking the settings API, achieving remote code execution, privilege escalation, and disclosure of secrets. The attack requires no user interaction and succeeds when the attacker can reach the management interface, resulting in a CVSS 3.1 score of 7.1.
The vulnerability was addressed in release 2.0.0.beta.9, which restricts modification of the Terminal Start Command setting. The supplied references point to the affected code paths in settings.go, pty.go, pipeline.go, middleware.go, and server.go that were updated in the patch.
EPSS for the CVE rose from a low baseline to a peak of 0.2031, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0301
Vulnerability details
Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The `Home > Preference` page exposes a list of system settings such as `Run Mode`, `Jwt Secret`, `Node Secret`…
more
and `Terminal Start Command`. While the UI doesn't allow users to modify the `Terminal Start Command` setting, it is possible to do so by sending a request to the API. This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. This vulnerability has been patched in version 2.0.0.beta.9.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.