Vulnerability Details CVE-2022-31137
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.94
EPSS Ranking 99.9%
CVSS Severity
CVSS v3 Score 10.0
CVSS v2 Score 10.0
References
- http://packetstormsecurity.com/files/167805/Roxy-WI-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/171648/Roxy-WI-6.1.0.0-Improper-Authentication-Control.html
- http://packetstormsecurity.com/files/171652/Roxy-WI-6.1.1.0-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/172547/Roxy-WI-6.1.0.0-Remote-Command-Execution.html
- https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755
- https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532
- http://packetstormsecurity.com/files/167805/Roxy-WI-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/171648/Roxy-WI-6.1.0.0-Improper-Authentication-Control.html
- http://packetstormsecurity.com/files/171652/Roxy-WI-6.1.1.0-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/172547/Roxy-WI-6.1.0.0-Remote-Command-Execution.html
- https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755
- https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532
Products affected by CVE-2022-31137
-
cpe:2.3:a:roxy-wi:roxy-wi:-
-
cpe:2.3:a:roxy-wi:roxy-wi:1.0
-
cpe:2.3:a:roxy-wi:roxy-wi:1.1
-
cpe:2.3:a:roxy-wi:roxy-wi:1.10
-
cpe:2.3:a:roxy-wi:roxy-wi:1.10.1
-
cpe:2.3:a:roxy-wi:roxy-wi:1.10.2
-
cpe:2.3:a:roxy-wi:roxy-wi:1.10.2.1
-
cpe:2.3:a:roxy-wi:roxy-wi:1.3
-
cpe:2.3:a:roxy-wi:roxy-wi:1.4
-
cpe:2.3:a:roxy-wi:roxy-wi:1.4.1
-
cpe:2.3:a:roxy-wi:roxy-wi:1.6
-
cpe:2.3:a:roxy-wi:roxy-wi:1.9.1
-
cpe:2.3:a:roxy-wi:roxy-wi:2.0.2
-
cpe:2.3:a:roxy-wi:roxy-wi:3.2.13
-
cpe:2.3:a:roxy-wi:roxy-wi:3.3
-
cpe:2.3:a:roxy-wi:roxy-wi:3.4.4.6
-
cpe:2.3:a:roxy-wi:roxy-wi:3.4.4.7
-
cpe:2.3:a:roxy-wi:roxy-wi:3.4.5
-
cpe:2.3:a:roxy-wi:roxy-wi:3.4.5.1
-
cpe:2.3:a:roxy-wi:roxy-wi:4.4.1.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.1.1.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.1.4.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.2.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.2.1
-
cpe:2.3:a:roxy-wi:roxy-wi:5.2.2.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.2.3.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.2.4.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.2.5.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.2.6.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.3.0.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.3.1.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.3.2.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.3.3.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.3.4.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.3.5.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.3.6.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.4.0.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.4.1.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.4.2.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.4.3.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.5.0.0
-
cpe:2.3:a:roxy-wi:roxy-wi:5.5.1.0
-
cpe:2.3:a:roxy-wi:roxy-wi:6.0.0.0
-
cpe:2.3:a:roxy-wi:roxy-wi:6.0.1.0
-
cpe:2.3:a:roxy-wi:roxy-wi:6.0.2.0
-
cpe:2.3:a:roxy-wi:roxy-wi:6.0.3.0
-
cpe:2.3:a:roxy-wi:roxy-wi:6.1.0.0