Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.

N/A

访问控制不恰当

Nginx UI 安全漏洞

Nginx UI是Jacky个人开发者的一个 Nginx 的 WebUI。 Nginx UI 2.3.4之前版本存在安全漏洞，该漏洞源于禁用用户仍可使用先前颁发的API令牌，可能导致攻击者在账户被禁用后继续访问受保护资源。

N/A

N/A