CVE-2024-49368— Unchecked logrotate settings lead to arbitrary command execution
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-49368
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unchecked logrotate settings lead to arbitrary command execution
Source: NVD (National Vulnerability Database)
Vulnerability Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Nginx UI 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Nginx UI是Jacky个人开发者的一个 Nginx 的 WebUI。 Nginx UI 2.0.0-beta.36之前版本存在输入验证错误漏洞,该漏洞源于配置logrotate时,未验证输入,导致任意命令执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-49368
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Explorations of CVE-2024-49368 + Exploit Development | https://github.com/Aashay221999/CVE-2024-49368 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-49368
请登录查看更多情报信息。
- Release v2.0.0-beta.36 · 0xJacky/nginx-ui · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2024-49368
Same Patch Batch · 0xJacky · 2024-10-21 · 3 CVEs total
| CVE-2024-49366 | Nginx UI's json field can construct a directory traversal payload, causing arbitrary files | |
| CVE-2024-49367 | Nginx UI's log path can be controlled |
IV. Related Vulnerabilities
Same product: nginx-ui
- CVE-2026-42238
Unauthenticated Remote Code Execution via Backup Restore in - CVE-2026-42223
nginx-ui: Settings API Exposes Protected Secrets - CVE-2026-42222
nginx-ui: Unauthenticated first-boot instance claim via POST - CVE-2026-42221
nginx-ui: Unauthenticated First-Run Installer Allows Remote - CVE-2026-42220
nginx-ui: Authenticated settings disclosure exposes node.sec
Same vendor: 0xJacky
- CVE-2026-42238
Unauthenticated Remote Code Execution via Backup Restore in - CVE-2026-42223
nginx-ui: Settings API Exposes Protected Secrets - CVE-2026-42222
nginx-ui: Unauthenticated first-boot instance claim via POST - CVE-2026-42221
nginx-ui: Unauthenticated First-Run Installer Allows Remote - CVE-2026-42220
nginx-ui: Authenticated settings disclosure exposes node.sec
Same weakness: CWE-20
V. Comments for CVE-2024-49368
No comments yet