Nginx UI API Token Misuse Vulnerability for Disabled Users

A vulnerability in Nginx UI prior to version 2.3.4 allows disabled users to continue using previously issued API tokens for the duration of the token's lifetime. This means that an attacker who has stolen a JSON Web Token (JWT) can still access and modify protected resources even after the account has been disabled. Additionally, since these tokens can be used to create new accounts, the disabled user could potentially retain privileges on a newly created account.

Impact

This vulnerability allows disabled users to bypass account restrictions, maintaining full API access. As a result, they can continue to read sensitive information and perform actions that modify the state of their account or the application.

Reproduction

The vulnerability can be reproduced by disabling a user account through the Nginx UI user management API. After the account is marked as disabled, the user can still use any active JWTs to access and modify protected resources. This was verified using the Nginx UI version 2.3.3.

Remediation

Users should update to Nginx UI version 2.3.4 or later, where this vulnerability has been patched.