CVE-2023-27224

Vulnerability

An arbitrary code execution vulnerability exists in NginxProxyManager v2.9.19. An attacker with administrative access can inject a malicious Lua script into the Nginx configuration file through the admin interface, leading to code execution when Nginx processes the configuration. [1]

Exploitation

To exploit this vulnerability, an attacker must have authenticated access to the NginxProxyManager admin interface. The attacker can then inject a Lua script into the custom Nginx configuration field for a proxy host, stream, or 404 host. The injected script is written to the configuration file and executed when Nginx reloads or processes the configuration. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary Lua code in the context of the Nginx process. This could lead to complete compromise of the NginxProxyManager container, including access to sensitive data, SSL certificates, and the ability to further pivot within the network. [1]

Mitigation

As of the publication date (2023-03-22), no fixed version has been released. Users should restrict access to the admin interface to trusted users only and monitor for upstream patches. The NginxProxyManager project recommends using the latest Docker image and applying updates as soon as they become available. [1]