CVE-2024-49367
HIGHnginxui/nginx_ui < 2.0.0-beta.36 - Unauthenticated Directory Traversal and Arbitrary File Read via Log Path Manipulation
Title source: llmDescription
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, the log path of nginxui is controllable. This issue can be combined with the directory traversal at `/api/configs` to read directories and file contents on the server. Version 2.0.0-beta.36 fixes the issue.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-gr34-jgw4-7j4m
Release Notes x_refsource_misc
https://github.com/0xJacky/nginx-ui/releases/tag/v2.0.0-beta.36
Scores
CVSS v3
7.5
EPSS
0.0063
EPSS Percentile
45.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (2)
nginxui/nginx_ui
2.0.0 beta1 (48 CPE variants)
nginxui/nginx_ui
< 1.9.9-4
Published
Oct 21, 2024
Tracked Since
Feb 18, 2026