CVE-2022-31161
10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Summary
Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| hap-wi | roxy-wi | < 6.1.1.0 | affected |
Weaknesses
- CWE-77: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-pg3w-8p63-x483
- https://github.com/hap-wi/roxy-wi/releases/tag/v6.1.1.0
- http://packetstormsecurity.com/files/171652/Roxy-WI-6.1.1.0-Remote-Code-Execution.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-pg3w-8p63-x483
- https://github.com/hap-wi/roxy-wi/releases/tag/v6.1.1.0
- http://packetstormsecurity.com/files/171652/Roxy-WI-6.1.1.0-Remote-Code-Execution.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.