CVE-2022-31137
Unauthenticated Remote Code Execution in Roxy-WI
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Roxy-WI es una interfaz web para administrar los servidores Haproxy, Nginx, Apache y Keepalived. Las versiones anteriores a 6.1.1.0 están sujetas a una vulnerabilidad de ejecución de código remota. Los comandos del sistema pueden ser ejecutados remotamente por medio de la función subprocess_execute sin procesar las entradas recibidas del usuario en el archivo /app/options.py. Los atacantes no necesitan estar autenticados para explotar esta vulnerabilidad. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para esta vulnerabilidad
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-18 CVE Reserved
- 2022-07-06 First Exploit
- 2022-07-08 CVE Published
- 2024-07-21 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (8)
URL | Date | SRC |
---|---|---|
https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755 | 2022-07-06 |
URL | Date | SRC |
---|