CVE-2024-22198: 
Nginx UI vulnerability analysis and mitigation

Nginx-UI, a web interface for managing Nginx configurations, was found to contain a vulnerability (CVE-2024-22198) that allows arbitrary command execution through configuration settings manipulation. The vulnerability was discovered in versions prior to 2.0.0.beta.9 and disclosed on January 11, 2024. The issue affects the Home > Preference page where system settings including Terminal Start Command can be modified through API requests despite UI restrictions (GitHub Advisory).

The vulnerability stems from insufficient protection of the Terminal Start Command setting. While the UI prevents direct modification, the API endpoint remains accessible. The SaveSettings function, protected only by basic authentication, lacks proper authorization roles, allowing any authenticated user to modify critical settings. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) from NIST with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to authenticated remote code execution, privilege escalation, and information disclosure. Attackers with valid authentication can modify the Terminal Start Command setting to execute arbitrary commands with root privileges through the web interface (GitHub Advisory).

The vulnerability has been patched in version 2.0.0.beta.9. The fix includes adding protected fields to settings to prevent unauthorized modifications. Users are strongly advised to upgrade to the patched version (GitHub Patch).