CVE-2024-22197 HIGH

CVE-2024-22197: Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)

Vendor 0Xjacky

Product nginx-ui

Weakness CWE-77

Published January 11, 2024

Last update June 17, 2025

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

Description

Nginx-ui is online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. The `Home > Preference` page exposes a small list of nginx settings such as `Nginx Access Log Path` and `Nginx Error Log Path`. However, the API also exposes `test_config_cmd`, `reload_cmd` and `restart_cmd`. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sending a request to the API. This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure. This issue has been patched in version 2.0.0.beta.9.

Key dates

Disclosure timeline

January 11, 2024 CVE published

June 17, 2025 Record updated