CVE-2024-49368
published 2024-10-21CVE-2024-49368: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
23.49%
97.5th percentile
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 0xjacky | nginx-ui | < 2.0.0-beta.36 | 2.0.0-beta.36 |
| nginxui | nginx_ui | <= 1.9.9-4 | — |
| nginxui | nginx_ui | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/settings
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS NGINX UI Authenticated Remote Command Execution in logrotate (CVE-2024-49368)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/settings"; http.header; to_lowercase; content:"authorization|3a 20|"; http.request_body; content:"|22|logrotate|22 3a|"; fast_pattern; content:"|22|cmd|22 3a|"; distance:0; content:!|22 22|; within:3; reference:cve,2024-49368; reference:url,github.com/0xJacky/nginx-ui/security/advisories/GHSA-66m6-27r9-77vm; classtype:web-application-attack; sid:2057437; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_11_13, cve CVE_2024_49368, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Requests must include an Authorization header, confirming the attacker is authenticated. Filter for authenticated sessions targeting the logrotate settings endpoint.
- →The vulnerability exists in Nginx UI versions prior to 2.0.0-beta.36; identify and prioritize monitoring/patching of instances running older versions. ↗
- ·Exploitation requires authentication; unauthenticated scanning will not trigger this rule. Ensure detection coverage includes monitoring of authenticated user sessions for abuse.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
Suricata
ET WEB_SPECIFIC_APPS NGINX UI Authenticated Remote Command Execution in logrotate (CVE-2024-49368)
suricata·2024-11-13·CVSS 8.9
CVE-2024-49368 [HIGH] ET WEB_SPECIFIC_APPS NGINX UI Authenticated Remote Command Execution in logrotate (CVE-2024-49368)
ET WEB_SPECIFIC_APPS NGINX UI Authenticated Remote Command Execution in logrotate (CVE-2024-49368)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS NGINX UI Authenticated Remote Command Execution in logrotate (CVE-2024-49368)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/settings"; http.header; to_lowercase; content:"authorization|3a 20|"; http.request_body; content:"|22|logrotate|22 3a|"; fast_pattern; content:"|22|cmd|22 3a|"; distance:0; content:!"|22 22|"; within:3; reference:cve,2024-49368; reference:url,github.com/0xJacky/nginx-ui/security/advisories/GHSA-66m6-27r9-77vm; classtype:web-application-attack; sid:2057437; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_11_13, cve CVE_2024_49368, deployme
No public exploits indexed.
2024-10-21
Published