CVE-2024-49368

Published: Oct 21, 2024Modified: Nov 6, 2024

8.9

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security-advisories@github.com (Secondary)

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.

Affected (49)

Products: Nginxui: Nginx Ui

Nginxui

1 product

Nginx Ui

Configuration A

49 vulnerable

Vulnerable Software	Affected Versions
Nginxui Nginx Ui	Up to 1.9.9-4
Nginxui Nginx Ui	Version 2.0.0 beta10
Nginxui Nginx Ui	Version 2.0.0 beta10_patch
Nginxui Nginx Ui	Version 2.0.0 beta11
Nginxui Nginx Ui	Version 2.0.0 beta12
Nginxui Nginx Ui	Version 2.0.0 beta13-patch
Nginxui Nginx Ui	Version 2.0.0 beta13
Nginxui Nginx Ui	Version 2.0.0 beta14
Nginxui Nginx Ui	Version 2.0.0 beta15
Nginxui Nginx Ui	Version 2.0.0 beta16
Nginxui Nginx Ui	Version 2.0.0 beta17
Nginxui Nginx Ui	Version 2.0.0 beta18-patch1
Nginxui Nginx Ui	Version 2.0.0 beta18-patch2
Nginxui Nginx Ui	Version 2.0.0 beta18
Nginxui Nginx Ui	Version 2.0.0 beta19
Nginxui Nginx Ui	Version 2.0.0 beta1
Nginxui Nginx Ui	Version 2.0.0 beta20
Nginxui Nginx Ui	Version 2.0.0 beta21
Nginxui Nginx Ui	Version 2.0.0 beta22
Nginxui Nginx Ui	Version 2.0.0 beta23-patch1
Nginxui Nginx Ui	Version 2.0.0 beta23-ptach2
Nginxui Nginx Ui	Version 2.0.0 beta23
Nginxui Nginx Ui	Version 2.0.0 beta24
Nginxui Nginx Ui	Version 2.0.0 beta25-patch1
Nginxui Nginx Ui	Version 2.0.0 beta25-ptach2
Nginxui Nginx Ui	Version 2.0.0 beta25
Nginxui Nginx Ui	Version 2.0.0 beta27
Nginxui Nginx Ui	Version 2.0.0 beta28
Nginxui Nginx Ui	Version 2.0.0 beta29
Nginxui Nginx Ui	Version 2.0.0 beta2
Nginxui Nginx Ui	Version 2.0.0 beta30
Nginxui Nginx Ui	Version 2.0.0 beta31
Nginxui Nginx Ui	Version 2.0.0 beta32-patch1
Nginxui Nginx Ui	Version 2.0.0 beta32
Nginxui Nginx Ui	Version 2.0.0 beta33
Nginxui Nginx Ui	Version 2.0.0 beta34
Nginxui Nginx Ui	Version 2.0.0 beta35
Nginxui Nginx Ui	Version 2.0.0 beta3
Nginxui Nginx Ui	Version 2.0.0 beta4
Nginxui Nginx Ui	Version 2.0.0 beta4_patch
Nginxui Nginx Ui	Version 2.0.0 beta5
Nginxui Nginx Ui	Version 2.0.0 beta5_patch
Nginxui Nginx Ui	Version 2.0.0 beta6
Nginxui Nginx Ui	Version 2.0.0 beta6_patch2
Nginxui Nginx Ui	Version 2.0.0 beta6_patch
Nginxui Nginx Ui	Version 2.0.0 beta7
Nginxui Nginx Ui	Version 2.0.0 beta8
Nginxui Nginx Ui	Version 2.0.0 beta8_patch
Nginxui Nginx Ui	Version 2.0.0 beta9

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

https://github.com/0xJacky/nginx-ui/releases/tag/v2.0.0-beta.36

Source: security-advisories@github.com

Release Notes

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-66m6-27r9-77vm

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.