CVE-2024-49367: 
Nginx UI vulnerability analysis and mitigation

Nginx UI, a web user interface for the Nginx web server, was found to contain a vulnerability (CVE-2024-49367) prior to version 2.0.0-beta.36. The vulnerability was discovered and disclosed on October 21, 2024, affecting all versions up to and including v2.0.0-beta.35. The issue involves controllable log paths that could be exploited to read directories and file contents on the server (NVD, GitHub Advisory).

The vulnerability stems from insufficient validation of log path settings in Nginx UI. When combined with a directory traversal vulnerability at /api/configs, attackers can manipulate the log path to read arbitrary directories and file contents. The issue received a CVSS v3.1 base score of 7.5 (HIGH) and a CVSS v4.0 score of 5.5 (MEDIUM). The vulnerability is classified as CWE-862 (Missing Authorization) (NVD).

The vulnerability allows attackers to read arbitrary directories and file contents on the affected server. This could lead to unauthorized access to sensitive information stored anywhere on the server's filesystem (GitHub Advisory).

The vulnerability has been fixed in version 2.0.0-beta.36. Users are advised to upgrade to this version or later. Starting from v2.0.0-beta.36, administrators must explicitly specify the directories where logs are stored through the LogDirWhiteList option in the nginx section of settings (Release Notes).