CVE-2024-23827: 
Nginx UI vulnerability analysis and mitigation

Nginx-UI, a web interface for managing Nginx configurations, contains a critical vulnerability (CVE-2024-23827) in its Import Certificate feature. The vulnerability was discovered in January 2024 and affects versions prior to v2.0.0-beta.11. The issue allows arbitrary file write capabilities into the system, as the feature fails to validate whether the provided user input is a legitimate certification/key (GitHub Advisory).

The vulnerability stems from insufficient input validation in the Import Certificate feature. The application does not properly verify the content of certificate files before writing them to the filesystem. The feature accepts user-specified paths and content through the API endpoint '/api/cert' and writes them directly to the specified locations with 0644 permissions. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD).

The vulnerability allows attackers to write arbitrary files anywhere in the system where the application has write permissions. More critically, it can be leveraged into remote code execution (RCE) by overwriting configuration files such as app.ini. This can lead to complete system compromise if the application is restarted after the malicious configuration is written (GitHub Advisory).

The vulnerability has been patched in version 2.0.0.beta.12. Users are strongly advised to upgrade to this version or later to protect against this security issue. No workarounds have been published for users who cannot immediately upgrade (GitHub Advisory).