CVE-2024-23827

CRITICAL EPSS 48.5%
Published Jan 29, 20242y ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Jan 29, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
48.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 80

VendorProductVersionRange
nginxuinginx_ui1.2.0any
nginxuinginx_ui1.2.0any
nginxuinginx_ui1.2.0any
nginxuinginx_ui1.2.0any
nginxuinginx_ui1.2.0any
nginxuinginx_ui1.2.0any
nginxuinginx_ui1.2.0any
nginxuinginx_ui1.2.1any
nginxuinginx_ui1.2.2any
nginxuinginx_ui1.3.0any
nginxuinginx_ui1.3.0any
nginxuinginx_ui1.3.1any
nginxuinginx_ui1.3.1any
nginxuinginx_ui1.3.2any
nginxuinginx_ui1.3.3any
nginxuinginx_ui1.4.0any
nginxuinginx_ui1.4.0any
nginxuinginx_ui1.4.1any
nginxuinginx_ui1.4.2any
nginxuinginx_ui1.5.0any
nginxuinginx_ui1.5.0any
nginxuinginx_ui1.5.0any
nginxuinginx_ui1.5.0any
nginxuinginx_ui1.5.0any
nginxuinginx_ui1.5.0any
nginxuinginx_ui1.5.0any
nginxuinginx_ui1.5.0any
nginxuinginx_ui1.5.0any
nginxuinginx_ui1.5.0any
nginxuinginx_ui1.5.0any
nginxuinginx_ui1.5.1any
nginxuinginx_ui1.5.2any
nginxuinginx_ui1.6.0any
nginxuinginx_ui1.6.0any
nginxuinginx_ui1.6.1any
nginxuinginx_ui1.6.2any
nginxuinginx_ui1.6.3any
nginxuinginx_ui1.6.5any
nginxuinginx_ui1.6.6any
nginxuinginx_ui1.6.7any
nginxuinginx_ui1.6.8any
nginxuinginx_ui1.7.0any
nginxuinginx_ui1.7.0any
nginxuinginx_ui1.7.1any
nginxuinginx_ui1.7.2any
nginxuinginx_ui1.7.3any
nginxuinginx_ui1.7.4any
nginxuinginx_ui1.7.5any
nginxuinginx_ui1.7.6any
nginxuinginx_ui1.7.7any
nginxuinginx_ui1.7.8any
nginxuinginx_ui1.7.9any
nginxuinginx_ui1.8.0any
nginxuinginx_ui1.8.1any
nginxuinginx_ui1.8.2any
nginxuinginx_ui1.8.3any
nginxuinginx_ui1.8.4any
nginxuinginx_ui1.8.4any
nginxuinginx_ui1.9.9any
nginxuinginx_ui1.9.9-1any
nginxuinginx_ui1.9.9-2any
nginxuinginx_ui1.9.9-3any
nginxuinginx_ui1.9.9-4any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any
nginxuinginx_ui2.0.0any

References 1

  • github.com https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.