CVE-2023-23596
CVSS V2 None
CVSS V3 None
Description
jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an authenticated attacker to execute arbitrary commands on the system. NOTE: this is not part of any NGINX software shipped by F5.
Overview
- CVE ID
- CVE-2023-23596
- Assigner
- cve@mitre.org
- Vulnerability Status
- Analyzed
- Published Version
- 2023-01-20T08:15:12
- Last Modified Date
- 2023-01-30T18:40:13
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:jc21:nginx_proxy_manager:*:*:*:*:*:*:*:* | 1 | OR | 2.9.19 |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-23596 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23596 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2023-01-20 09:14:38 | Added to TrackCVE | |||
2023-01-20 15:15:00 | 2023-01-20T13:54:58 | CVE Modified Date | updated | |
2023-01-20 15:15:00 | Received | Awaiting Analysis | Vulnerability Status | updated |
2023-01-27 20:15:16 | Awaiting Analysis | Undergoing Analysis | Vulnerability Status | updated |
2023-01-30 21:13:45 | 2023-01-30T18:40:13 | CVE Modified Date | updated | |
2023-01-30 21:13:45 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |
2023-01-30 21:13:46 | Weakness Enumeration | new | ||
2023-01-30 21:13:48 | CPE Information | updated |