CVE-2024-23827

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go/github.com/0xJacky/Nginx-UI

Identifiers

GHSA-xvq9-4vpv-227m, CVE-2024-23827

Package Slug

go/github.com/0xJacky/Nginx-UI

Vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Description

Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue.

Affected Versions

All versions before 2.0.0-beta.12

Solution

Upgrade to version 2.0.0-beta.12 or above. Note: 2.0.0-beta.12 may be an unstable version. Use caution.

Last Modified

2024-01-30

source