CVE-2024-49368

CRITICAL LAB

Nginxui Nginx UI < 1.9.9-4 - Improper Input Validation

Title source: rule

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.

Exploits (1)

nomisec WORKING POC

by Aashay221999 · poc

https://github.com/Aashay221999/CVE-2024-49368

View Code ZIP pw:eip

References (2)

[Release Notes] https://github.com/0xJacky/nginx-ui/releases/tag/v2.0.0-beta.36

[Exploit, Vendor Advisory] https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-66m6-27r9-77vm

Scores

CVSS v3 9.8

EPSS 0.5771

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull uozi/nginx-ui:v2.0.0-beta.35

docker pull uozi/nginx-ui:v2.0.0-beta.36

https://github.com/Aashay221999/CVE-2024-49368

View in Library

Details

CWE

CWE-20

Status published

Products (2)

nginxui/nginx_ui 2.0.0 beta1 (48 CPE variants)

nginxui/nginx_ui < 1.9.9-4

Published Oct 21, 2024

Tracked Since Feb 18, 2026