Nginx UI GetSettings API Protected Fields Exposure Vulnerability

A vulnerability in Nginx UI's GetSettings API handler prior to version 2.3.8 allows authenticated users to access sensitive settings marked as protected. The API serializes all settings to JSON without enforcing the protected tag during reads, exposing over 40 sensitive fields, including JwtSecret, NodeSecret, OIDC ClientSecret, and IP whitelist configuration. This issue could lead to authentication token forgery, cluster node impersonation, OAuth account takeover, and unauthorized access to network security details.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive protected fields, including authentication secrets and security configurations, which could be misused to forge authentication tokens, impersonate cluster nodes, take over OAuth accounts, and learn about network security postures.

Reproduction

The vulnerability can be reproduced by sending a GET request to the /api/settings endpoint with a valid JWT token. The response will include all settings, including those marked as protected, such as JwtSecret, NodeSecret, OIDC ClientSecret, and IP whitelist details.

Remediation

Users should update to Nginx UI version 2.3.8 or later, where this vulnerability has been patched.