CVE-2024-49368 HIGH

CVE-2024-49368: Unchecked logrotate settings lead to arbitrary command execution

Vendor 0Xjacky

Product nginx-ui

Weakness CWE-20 · Input validation

Published October 21, 2024

Last update November 1, 2024

View on NVD All CVEs

CVSS base score

8.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.

Key dates

02Disclosure timeline

October 21, 2024 CVE published

November 1, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-49368 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2024-49368: Unchecked logrotate settings lead to arbitrary command execution

01Description

02Disclosure timeline

03References

04Related CVE