FixVibe
Covered by FixVibehigh

Authenticated Command Injection in Nginx-UI (CVE-2024-22198)

Nginx-UI releases before the fixed Go pseudo-version 1.9.10-0.20231219184941-827e76c46e63, and application beta releases before 2.0.0.beta.9, are affected by an authenticated command-injection flaw. FixVibe reports repository dependency evidence as a version-based advisory and does not claim live command execution from repo evidence alone.

CVE-2024-22198GHSA-8r25-68wm-jw35GO-2024-2462CWE-77

Impact

An authenticated Nginx-UI user could modify protected settings such as the terminal start command and later trigger command execution through the web terminal workflow [S1]. GitHub Security Lab reported that this can lead to authenticated remote code execution, privilege escalation, and information disclosure when a vulnerable Nginx-UI runtime is deployed with the affected settings path reachable [S2].

Root Cause

CVE-2024-22198 is a command-injection issue in Nginx-UI settings handling, tracked as CWE-77 [S3]. The vulnerable code path allowed user-controlled settings data to influence a command that Nginx-UI later executed when terminal functionality was used [S2]. The upstream fix added protected settings handling so sensitive command-related fields cannot be overwritten through the settings API [S4].

How FixVibe covers it

FixVibe's GitHub repo scan can flag Go module metadata that resolves github.com/0xJacky/Nginx-UI to a version affected by CVE-2024-22198 / GHSA-8r25-68wm-jw35 / GO-2024-2462 [S1][S5]. The finding is reported as a version-based advisory: evidence includes the package, version, file path, affected range, fixed version, confidence, source quality, and the distinction between verified dependency evidence and unverified runtime exploitability.

FixVibe does not authenticate to Nginx-UI, change settings, modify start_cmd, open terminal sessions, execute commands, send command-injection strings, or claim live remote-code-execution confirmation from repository metadata. Public HTTP fingerprints alone are also not enough for this finding because they cannot reliably prove the deployed module version, patch/backport state, terminal exposure, authenticated user boundary, or whether the scanned repository is the runtime serving production traffic.

Remediation

Upgrade Nginx-UI to Go pseudo-version 1.9.10-0.20231219184941-827e76c46e63, Nginx-UI 2.0.0.beta.9, or a newer vendor-supported release [S1][S3]. Regenerate Go module metadata, rebuild every binary or container image that includes Nginx-UI, verify the deployed artifact no longer carries the affected version, and rerun the FixVibe GitHub repo scan.

While the upgrade rolls out, keep Nginx-UI administrative and terminal functionality restricted to trusted operators and trusted networks. Treat access restrictions as defense in depth: the durable fix is a rebuilt runtime that includes the protected-settings patch.

Authenticated Command Injection in Nginx-UI (CVE-2024-22198) β€” FixVibe research Β· FixVibe