Published on: Not Yet Published
Last Modified on: 01/30/2023 06:40:00 PM UTC
CVE-2023-23596Source: Mitre Source: NIST CVE.ORG Print: PDF
Certain versions of Nginx Proxy Manager from Jc21 contain the following vulnerability:
jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an authenticated attacker to execute arbitrary commands on the system. NOTE: this is not part of any NGINX software shipped by F5.
- CVE-2023-23596 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 8.8 - HIGH
|nginx-proxy-manager/access-list.js at 4f10d129c20cc82494b95cc94b97f859dbd4b54d · NginxProxyManager/nginx-proxy-manager · GitHub|| github.com |
|CVE-2023-23596: OS Command Injection in Nginx Proxy Manager - dw1's Advisory|| advisory.dw1.io |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
|Application||Jc21||Nginx Proxy Manager||All||All||All||All|
No vendor comments have been submitted for this CVE
|@Robo_Alerts||Potentially Critical CVE Detected! CVE-2023-23596 jc21 NGINX Proxy Manager through 2.9.19 allows OS command injecti… twitter.com/i/web/status/1…||2023-01-20 07:56:00|
|@CVEreport||CVE-2023-23596 : jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list,… twitter.com/i/web/status/1…||2023-01-20 08:07:07|
|/r/selfhosted||Nginx Proxy Manager security vulnerability w/ local exec capability CVE-2023-23596||2023-01-25 18:06:18|