Nginx Ui
CVE-2024-49366
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (github) · only source for this CVE.
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Nginx UI is a web user interface for the Nginx web server. Nginx UI v2.0.0-beta.35 and earlier gets the value from the json field without verification, and can construct a value value in the form of ../../. Arbitrary files can be written to the server, which may result in loss of permissions. Version 2.0.0-beta.26 fixes the issue.
AnalysisAI
Nginx UI is a web user interface for the Nginx web server. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Nginx UI is a web user interface for the Nginx web server. Nginx UI v2.0.0-beta.35 and earlier gets the value from the json field without verification, and can construct a value value in the form of ../../. Arbitrary files can be written to the server, which may result in loss of permissions. Version 2.0.0-beta.26 fixes the issue. Affected products include: Nginxui Nginx Ui. Version information: Version 2.0.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.
Nginx UI is a web user interface for the Nginx web server. Rated high severity (CVSS 8.9), this vulnerability is remotel
Nginx-UI is a web interface to manage Nginx configurations. Rated critical severity (CVSS 9.8), this vulnerability is re
Nginx-UI is a web interface to manage Nginx configurations. Rated high severity (CVSS 8.8), this vulnerability is remote
Nginx UI is a web user interface for the Nginx web server. Rated medium severity (CVSS 5.5), this vulnerability is remot
Nginx-UI is a web interface to manage Nginx configurations. Rated high severity (CVSS 7.1), this vulnerability is remote
Nginx-UI is an online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage i
Nginx-ui is online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in r
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today