Vulnerability DatabaseCVE-2024-23828

CVE-2024-23828:
Nginx UI vulnerability analysis and mitigation

Overview

Nginx-UI, a web interface for managing Nginx configurations, was found to be vulnerable to an authenticated arbitrary command execution vulnerability through CRLF attack when modifying the values of test_config_cmd or start_cmd parameters. This vulnerability (CVE-2024-23828) was discovered as a result of an incomplete fix for previous vulnerabilities CVE-2024-22197 and CVE-2024-22198. The issue was patched in version 2.0.0.beta.12 (GitHub Advisory).

Technical details

The vulnerability allows authenticated users to inject commands directly into the app.ini configuration file using CRLF (Carriage Return Line Feed) attacks. This injection capability specifically targets the test_config_cmd and start_cmd parameters. The CVSS v3.1 score for this vulnerability is 8.8 HIGH with the vector string AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Impact

If successfully exploited, this vulnerability enables authenticated attackers to execute arbitrary commands on the host system running the Nginx-UI application. This could lead to complete system compromise within the context of the application's privileges (GitHub Advisory).

Mitigation and workarounds

Users should upgrade to Nginx-UI version 2.0.0.beta.12 or later, which contains the fix for this vulnerability (GitHub Advisory).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

8.8

Score

Published January 29, 2024

Severity HIGH

CNA Score 8.8

Affected Technologies

Nginx UI

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 79.9

Exploitation Probability (EPSS) 1.4

Affected packages and libraries

github.com/0xJacky/Nginx-UI
github.com/0xjacky/nginx-ui

Sources

GitHub Advisory Database
- GoLang Severity HIGHHas FixAdded at: Jan 30, 2024
NVD
- Linux Severity HIGHNo FixAdded at: May 22, 2024

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Nginx UI vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2024-3738	CRITICAL	9.8	Nginx UI	cpe:2.3:a:nginxui:nginx_ui	No	No	Apr 13, 2024
CVE-2024-49368	HIGH	8.9	Nginx UI	cpe:2.3:a:nginxui:nginx_ui	No	Yes	Oct 21, 2024
CVE-2024-23828	HIGH	8.8	Nginx UI	github.com/0xJacky/Nginx-UI	No	Yes	Jan 29, 2024
CVE-2024-49366	HIGH	7.7	Nginx UI	cpe:2.3:a:nginxui:nginx_ui	No	Yes	Oct 21, 2024
CVE-2024-49367	MEDIUM	5.5	Nginx UI	cpe:2.3:a:nginxui:nginx_ui	No	Yes	Oct 21, 2024

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2024-23828: Nginx UI vulnerability analysis and mitigation