Cyber Resilience

CVE-2024-22198

HighPublic PoCRCE

Published: 11 January 2024

Published
11 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.1601 94.9th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22198 is a high-severity Command Injection (CWE-77) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 7.1 (High).

Operationally, ranked in the top 5.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Nginx-UI is a web-based interface for managing Nginx configurations that is affected by an improper access control flaw tracked as CVE-2024-22198. The Home > Preference page surfaces sensitive settings including Run Mode, Jwt Secret, Node Secret, and Terminal Start Command; although the user interface prevents modification of the Terminal Start Command value, the underlying API endpoint accepts changes to it, enabling an attacker to supply an arbitrary command string that is later executed by the terminal subsystem.

An authenticated user with low-privileged access can exploit the issue over the network by directly invoking the settings API, achieving remote code execution, privilege escalation, and disclosure of secrets. The attack requires no user interaction and succeeds when the attacker can reach the management interface, resulting in a CVSS 3.1 score of 7.1.

The vulnerability was addressed in release 2.0.0.beta.9, which restricts modification of the Terminal Start Command setting. The supplied references point to the affected code paths in settings.go, pty.go, pipeline.go, middleware.go, and server.go that were updated in the patch.

EPSS for the CVE rose from a low baseline to a peak of 0.2031, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The `Home > Preference` page exposes a list of system settings such as `Run Mode`, `Jwt Secret`, `Node Secret`…

more

and `Terminal Start Command`. While the UI doesn't allow users to modify the `Terminal Start Command` setting, it is possible to do so by sending a request to the API. This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. This vulnerability has been patched in version 2.0.0.beta.9.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nginxui
nginx ui
2.0.0 · ≤ 2.0.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References