CVE-2022-31161

Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:04

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/171652/Roxy-WI-6.1.1.0-Remote-Code-Execution.html - () http://packetstormsecurity.com/files/171652/Roxy-WI-6.1.1.0-Remote-Code-Execution.html -
References () https://github.com/hap-wi/roxy-wi/releases/tag/v6.1.1.0 - Release Notes, Third Party Advisory () https://github.com/hap-wi/roxy-wi/releases/tag/v6.1.1.0 - Release Notes, Third Party Advisory
References () https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-pg3w-8p63-x483 - Third Party Advisory () https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-pg3w-8p63-x483 - Third Party Advisory
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 10.0

22 Jul 2022, 12:07

Type Values Removed Values Added
CWE CWE-434
CPE cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
References (MISC) https://github.com/hap-wi/roxy-wi/releases/tag/v6.1.1.0 - (MISC) https://github.com/hap-wi/roxy-wi/releases/tag/v6.1.1.0 - Release Notes, Third Party Advisory
References (CONFIRM) https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-pg3w-8p63-x483 - (CONFIRM) https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-pg3w-8p63-x483 - Third Party Advisory

15 Jul 2022, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-07-15 21:15

Updated : 2024-11-21 07:04


NVD link : CVE-2022-31161

Mitre link : CVE-2022-31161

CVE.ORG link : CVE-2022-31161


JSON object : View

Products Affected

roxy-wi

  • roxy-wi
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-434

Unrestricted Upload of File with Dangerous Type