GHSA-xvq9-4vpv-227m, CVE-2024-23827
go/github.com/0xJacky/Nginx-UI
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue.
All versions before 2.0.0-beta.12
Upgrade to version 2.0.0-beta.12 or above. Note: 2.0.0-beta.12 may be an unstable version. Use caution.
2024-01-30
source |