#VU127230 Path traversal in nginx-ui - CVE-2024-49367
Published: October 21, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU127230
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-49367
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
nginx-ui
nginx-ui
Software vendor:
Nginx UI
Nginx UI
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the log path handling and /api/configs endpoint when handling crafted authenticated requests. A remote user can modify the log path and use directory traversal to read arbitrary files and disclose sensitive information.
Exploitation requires valid authentication and combines control over the nginx log path with directory traversal in /api/configs to obtain file names for targeted reading.
Remediation
Install security update from vendor's website.