CVE-2024-49368 — Vulnetix

CVE-2024-49368 PUBLISHED CVSS 8.899999618530273 HIGH

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.

EPSS 52.24% · 98.0th percentile

Risk Scores

CVSS v4.0

8.899999618530273

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

EPSS Score

52.24%

98.0th percentile

Affected Products

Vendor	Product	Versions
0xJacky	nginx-ui	*
nginxui	nginx_ui	0
nginxui	nginx_ui	2.0.0, 2.0.0, 2.0.0

Timeline

Jan 21, 1970 Security Advisory
Oct 21, 2024 Coalition ESS Score
Oct 21, 2024 CVE Published
Oct 22, 2024 EPSS Score
Oct 23, 2024 Coalition ESS Score
Nov 6, 2024 Coalition ESS Score
Nov 13, 2024 PoC Published
Nov 28, 2024 EPSS Score
Dec 17, 2024 EPSS Score
Jan 23, 2025 EPSS Score
Feb 10, 2025 EPSS Score
Mar 17, 2025 EPSS Score

References

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-66m6-27r9-77vm url
https://github.com/0xJacky/nginx-ui/releases/tag/v2.0.0-beta.36 url

Open in Interactive Console →