9.8

CVE-2024-49368

Exploit
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NginxuiNginx Ui Version <= 1.9.9-4
NginxuiNginx Ui Version2.0.0 Updatebeta1
NginxuiNginx Ui Version2.0.0 Updatebeta10
NginxuiNginx Ui Version2.0.0 Updatebeta10_patch
NginxuiNginx Ui Version2.0.0 Updatebeta11
NginxuiNginx Ui Version2.0.0 Updatebeta12
NginxuiNginx Ui Version2.0.0 Updatebeta13
NginxuiNginx Ui Version2.0.0 Updatebeta13-patch
NginxuiNginx Ui Version2.0.0 Updatebeta14
NginxuiNginx Ui Version2.0.0 Updatebeta15
NginxuiNginx Ui Version2.0.0 Updatebeta16
NginxuiNginx Ui Version2.0.0 Updatebeta17
NginxuiNginx Ui Version2.0.0 Updatebeta18
NginxuiNginx Ui Version2.0.0 Updatebeta18-patch1
NginxuiNginx Ui Version2.0.0 Updatebeta18-patch2
NginxuiNginx Ui Version2.0.0 Updatebeta19
NginxuiNginx Ui Version2.0.0 Updatebeta2
NginxuiNginx Ui Version2.0.0 Updatebeta20
NginxuiNginx Ui Version2.0.0 Updatebeta21
NginxuiNginx Ui Version2.0.0 Updatebeta22
NginxuiNginx Ui Version2.0.0 Updatebeta23
NginxuiNginx Ui Version2.0.0 Updatebeta23-patch1
NginxuiNginx Ui Version2.0.0 Updatebeta23-ptach2
NginxuiNginx Ui Version2.0.0 Updatebeta24
NginxuiNginx Ui Version2.0.0 Updatebeta25
NginxuiNginx Ui Version2.0.0 Updatebeta25-patch1
NginxuiNginx Ui Version2.0.0 Updatebeta25-ptach2
NginxuiNginx Ui Version2.0.0 Updatebeta27
NginxuiNginx Ui Version2.0.0 Updatebeta28
NginxuiNginx Ui Version2.0.0 Updatebeta29
NginxuiNginx Ui Version2.0.0 Updatebeta3
NginxuiNginx Ui Version2.0.0 Updatebeta30
NginxuiNginx Ui Version2.0.0 Updatebeta31
NginxuiNginx Ui Version2.0.0 Updatebeta32
NginxuiNginx Ui Version2.0.0 Updatebeta32-patch1
NginxuiNginx Ui Version2.0.0 Updatebeta33
NginxuiNginx Ui Version2.0.0 Updatebeta34
NginxuiNginx Ui Version2.0.0 Updatebeta35
NginxuiNginx Ui Version2.0.0 Updatebeta4
NginxuiNginx Ui Version2.0.0 Updatebeta4_patch
NginxuiNginx Ui Version2.0.0 Updatebeta5
NginxuiNginx Ui Version2.0.0 Updatebeta5_patch
NginxuiNginx Ui Version2.0.0 Updatebeta6
NginxuiNginx Ui Version2.0.0 Updatebeta6_patch
NginxuiNginx Ui Version2.0.0 Updatebeta6_patch2
NginxuiNginx Ui Version2.0.0 Updatebeta7
NginxuiNginx Ui Version2.0.0 Updatebeta8
NginxuiNginx Ui Version2.0.0 Updatebeta8_patch
NginxuiNginx Ui Version2.0.0 Updatebeta9
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 67.53% 0.985
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 8.9 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.