Path traversal in nginx-ui - CVE-2024-49366

 

Path traversal in nginx-ui - CVE-2024-49366

Published: October 21, 2024 / Updated: April 23, 2026


Vulnerability identifier: #VU127229
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-49366
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Nginx UI
Affected software:
nginx-ui

Detailed vulnerability description

The vulnerability allows a remote user to write arbitrary files.

The vulnerability exists due to path traversal in internal/nginx/config_args.go GetConfPath() when handling user-supplied json.name values in site and stream management requests. A remote user can send a specially crafted request to write arbitrary files.

The issue can also be exploited through duplicate and copy operations, and nginx configuration content is controllable because the application does not check the nginx configuration file by default.


How to mitigate CVE-2024-49366

Install security update from vendor's website.

Sources