CVE-2022-31161
Roxy-WI Vulnerable to Unauthenticated Remote Code Execution via ssl_cert Upload
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue.
Roxy-WI es una interfaz web para administrar los servidores HAProxy, Nginx y Keepalived. En versiones anteriores a 6.1.1.0, el comando del sistema puede ser ejecutado remotamente por medio de la función subprocess_execute sin procesar las entradas recibidas del usuario en el archivo /app/options.py. La versión 6.1.1.0 contiene un parche para este problema
Roxy WI version 6.1.1.0 suffers from an unauthenticated remote code execution vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-18 CVE Reserved
- 2022-07-15 CVE Published
- 2023-04-03 First Exploit
- 2024-05-03 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
References (4)
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/51228 | 2023-04-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|