SB2024012801 - Multiple vulnerabilities in nginx-ui
Published: January 28, 2024 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Path traversal (CVE-ID: CVE-2024-49366)
The vulnerability allows a remote user to write arbitrary files.
The vulnerability exists due to path traversal in internal/nginx/config_args.go GetConfPath() when handling user-supplied json.name values in site and stream management requests. A remote user can send a specially crafted request to write arbitrary files.
The issue can also be exploited through duplicate and copy operations, and nginx configuration content is controllable because the application does not check the nginx configuration file by default.
2) Path traversal (CVE-ID: CVE-2024-49367)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the log path handling and /api/configs endpoint when handling crafted authenticated requests. A remote user can modify the log path and use directory traversal to read arbitrary files and disclose sensitive information.
Exploitation requires valid authentication and combines control over the nginx log path with directory traversal in /api/configs to obtain file names for targeted reading.
3) Command injection (CVE-ID: CVE-2024-49368)
The vulnerability allows a remote user to execute arbitrary commands.
The vulnerability exists due to command injection in logrotate configuration handling in api/settings/settings.go and internal/logrotate/logrotate.go when processing user-supplied settings. A remote user can send a specially crafted settings update request to execute arbitrary commands.
The issue can be triggered through the /api/settings endpoint by controlling the logrotate.cmd value.
4) CRLF injection (CVE-ID: CVE-2024-23828)
The vulnerability allows a remote user to execute arbitrary code on the host.
The vulnerability exists due to improper neutralization of CRLF sequences in application configuration handling in app.ini when processing user-supplied input. A remote user can inject crafted input to modify test_config_cmd and start_cmd to execute arbitrary code on the host.
5) Input validation error (CVE-ID: CVE-2024-23827)
The vulnerability allows a remote user to write arbitrary files on the system.
The vulnerability exists due to improper input validation in the Import Certificate feature when handling crafted API requests. A remote user can supply arbitrary file paths and file content to write arbitrary files on the system.
Exploitation may allow code execution if the written files are later used by the application after a restart.
Remediation
Install update from vendor's website.
References
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-prv4-rx44-f7jr
- https://github.com/advisories/GHSA-prv4-rx44-f7jr
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-gr34-jgw4-7j4m
- https://github.com/advisories/GHSA-gr34-jgw4-7j4m
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-66m6-27r9-77vm
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-qcjq-7f7v-pvc8
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-xvq9-4vpv-227m