CVE-2024-49366: 
Nginx UI vulnerability analysis and mitigation

Nginx UI, a web user interface for the Nginx web server, contains a directory traversal vulnerability identified as CVE-2024-49366. The vulnerability affects versions up to and including v2.0.0-beta.35, where the application gets values from JSON fields without proper verification, allowing the construction of directory traversal payloads (e.g., '../../'). The vulnerability was discovered on October 21, 2024, and has been patched in version 2.0.0-beta.36 (GitHub Advisory, NVD).

The vulnerability exists in the GetConfPath function where user-controlled input from JSON fields is not properly validated. This allows attackers to manipulate the path parameter using directory traversal sequences. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and a CVSS v4.0 score of 7.7 HIGH (NVD).

When successfully exploited, this vulnerability allows attackers to write arbitrary files to the server, which can result in loss of permissions. The vulnerability can be leveraged to write or copy files to any path on the system, potentially leading to privilege escalation (GitHub Advisory).

The vulnerability has been fixed in version 2.0.0-beta.36 by modifying the GetConfPath function to ensure proper path validation and prevent directory traversal. Users are advised to upgrade to this version or later. The fix includes implementing proper path cleaning and validation using filepath.Clean and filepath.Join functions (GitHub Release).