CVE-2024-23828

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in go/github.com/0xJacky/Nginx-UI

Identifiers

GHSA-qcjq-7f7v-pvc8, CVE-2024-23828

Package Slug

go/github.com/0xJacky/Nginx-UI

Vulnerability

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Description

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to an authenticated arbitrary command execution via CRLF attack when changing the value of testconfigcmd or start_cmd. This vulnerability exists due to an incomplete fix for CVE-2024-22197 and CVE-2024-22198. This vulnerability has been patched in version 2.0.0.beta.12.

Affected Versions

All versions before 2.0.0-beta.12

Solution

Upgrade to version 2.0.0-beta.12 or above. Note: 2.0.0-beta.12 may be an unstable version. Use caution.

Last Modified

2024-01-30

source