CVE-2024-23827
CRITICALnginx-ui - Unauthenticated Arbitrary File Write via Import Certificate Feature
Title source: llmDescription
Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_confirm
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m
Scores
CVSS v3
9.8
EPSS
0.0070
EPSS Percentile
48.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (29)
0xJacky/Nginx-UI
0 - 2.0.0-beta.12Go
nginxui/nginx_ui
1.2.0 (7 CPE variants)
nginxui/nginx_ui
1.2.1
nginxui/nginx_ui
1.2.2
nginxui/nginx_ui
1.3.0 (2 CPE variants)
nginxui/nginx_ui
1.3.1 (2 CPE variants)
nginxui/nginx_ui
1.3.2
nginxui/nginx_ui
1.3.3 rc1
nginxui/nginx_ui
1.4.0 (2 CPE variants)
nginxui/nginx_ui
1.4.1
... and 19 more
Published
Jan 29, 2024
Tracked Since
Feb 18, 2026