Headline
CVE-2022-31126
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to code execution by sending a specially crafted HTTP request to /app/options.py file. This affects Roxy-wi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.
Unauthenticated Remote Code Execution via ssh_command
Critical
Aidaho12 published GHSA-mh86-878h-43c9
Jul 6, 2022
Package
No package listed
Affected versions
< 6.1.1.0
Patched versions
6.1.1.0
Description
Impact
A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to code execution by sending a specially crafted HTTP request to /app/options.py file. This affects Roxy-wi versions before 6.1.0.
Patches
in version 6.1.1.0
Severity
Critical
10.0
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
CVE ID
CVE-2022-31126
Weaknesses
CWE-77 CWE-94 CWE-116
Credits
- derectus
Related news
Roxy WI version 6.1.0.0 suffers from an unauthenticated remote code execution vulnerability.