Vulnerability Description
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize `dir/../filename` sequences, such as `/etc/nginx/../passwd`, allowing an actor to gain information about a server. Version 6.3.6.0 has a patch for this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Roxy-Wi | Roxy-Wi | < 6.3.6.0 |
Related Weaknesses (CWE)
References
- https://github.com/hap-wi/roxy-wi/commit/0054f25da7cf8c7480452f48e39308b5e392dc6Patch
- https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-qcmp-q5h3-784mExploitVendor Advisory
- https://github.com/hap-wi/roxy-wi/commit/0054f25da7cf8c7480452f48e39308b5e392dc6Patch
- https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-qcmp-q5h3-784mExploitVendor Advisory
FAQ
What is CVE-2023-25802?
CVE-2023-25802 is a vulnerability with a CVSS score of 7.5 (HIGH). Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize `dir/../filename` sequences, such as `/etc/nginx/../passwd`...
How severe is CVE-2023-25802?
CVE-2023-25802 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25802?
Check the references section above for vendor advisories and patch information. Affected products include: Roxy-Wi Roxy-Wi.