CVE-2024-39935: 
Nginx Proxy Manager vulnerability analysis and mitigation

jc21 NGINX Proxy Manager before version 2.11.3 contains an OS command injection vulnerability in the backend/internal/certificate.js component. The vulnerability allows authenticated users with certificate management privileges to execute arbitrary commands via untrusted input to the DNS provider configuration. This vulnerability is tracked as CVE-2024-39935 and was disclosed in July 2024. It's important to note that this vulnerability does not affect any NGINX software shipped by F5 (NVD).

The vulnerability exists in the certificate management functionality where the DNS provider configuration handling is susceptible to command injection attacks. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command) (NVD).

If exploited, this vulnerability could allow authenticated users with certificate management privileges to execute arbitrary operating system commands on the affected system. This could potentially lead to complete system compromise, data theft, or service disruption (NVD).

The vulnerability has been fixed in NGINX Proxy Manager version 2.11.3. Users are strongly advised to upgrade to this version or later. The fix involves using built-in node functions to handle file operations instead of shell commands (GitHub Commit).