CVE-2024-49368: 
Nginx UI vulnerability analysis and mitigation

CVE-2024-49368 affects Nginx UI, a web user interface for the Nginx web server. The vulnerability was discovered and disclosed on October 21, 2024, affecting all versions prior to 2.0.0-beta.36. The issue exists in the logrotate configuration functionality where the application fails to properly validate input before passing it to exec.Command (NVD, ASEC).

The vulnerability stems from improper input validation in the logrotate configuration functionality. When Nginx UI configures logrotate, it retrieves the logrotate.cmd command from settings and passes it directly to exec.Command without any validation, as identified in internal/logrotate/logrotate.go and api/settings/settings.go. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS v4.0 score of 8.9 (HIGH) (GitHub Advisory, NVD).

The vulnerability allows for arbitrary command execution on the affected system. An attacker can exploit this vulnerability by manipulating the logrotate settings through the API, potentially leading to remote command execution on the server hosting Nginx UI (GitHub Advisory).

Users are strongly advised to upgrade to Nginx UI version 2.0.0-beta.36 or later, which includes a fix for this vulnerability. The update was released on October 9, 2024, and addresses the input validation issue in the logrotate configuration functionality (GitHub Release, ASEC).