CVE-2024-49367 Overview
CVE-2024-49367 affects Nginx UI, a web user interface for the Nginx web server. Versions prior to 2.0.0-beta.36 expose a controllable log path that can be combined with a directory traversal flaw in the /api/configs endpoint. An unauthenticated attacker can read directory listings and arbitrary file contents on the server hosting Nginx UI. The issue is tracked under CWE-862: Missing Authorization and resolved in GitHub Release v2.0.0-beta.36.
Critical Impact
Attackers can read arbitrary directories and file contents on the server, exposing configuration files, credentials, and other sensitive data accessible to the Nginx UI process.
Affected Products
- Nginx UI versions prior to 2.0.0-beta.36
- All 2.0.0-beta.1 through 2.0.0-beta.35 releases (including patch variants)
- Deployments exposing the /api/configs endpoint to untrusted networks
Discovery Timeline
- 2024-10-21 - CVE-2024-49367 published to NVD
- 2024-11-07 - Last updated in NVD database
Technical Details for CVE-2024-49367
Vulnerability Analysis
Nginx UI provides a web-based management interface for Nginx configuration. The vulnerability stems from two combined weaknesses. First, the log path used by Nginx UI is controllable through the application interface. Second, the /api/configs endpoint suffers from a directory traversal flaw that does not properly validate user-supplied path parameters.
When chained, an attacker can point the log path to arbitrary locations on the filesystem and then use the traversal in /api/configs to enumerate directories and read file contents. The vulnerability is exploitable over the network without user interaction. See the GitHub Security Advisory GHSA-gr34-jgw4-7j4m for additional context.
Root Cause
The root cause is missing authorization and inadequate path validation [CWE-862]. The application accepts user-supplied log paths and configuration paths without enforcing that requested resources reside within an expected directory boundary. There is no canonicalization or allowlist of permitted paths before the file read operation executes.
Attack Vector
The attack vector is network-based. An attacker sends crafted requests to the /api/configs endpoint with traversal sequences referencing the controllable log path. Successful exploitation returns directory listings or file contents the Nginx UI process can access. This commonly includes Nginx configuration files, TLS keys stored in readable locations, environment files, and other host artifacts.
No verified public proof-of-concept code is available. Refer to the vendor advisory for technical specifics.
Detection Methods for CVE-2024-49367
Indicators of Compromise
- Unexpected HTTP requests to /api/configs containing path traversal patterns such as ../ or URL-encoded equivalents %2e%2e%2f
- Modifications to the Nginx UI log path configuration originating from unfamiliar sessions or IP addresses
- Access log entries showing reads of sensitive files outside the Nginx UI working directory
Detection Strategies
- Review Nginx UI application logs for changes to the log path setting and correlate with subsequent /api/configs requests
- Deploy web application firewall rules that block traversal sequences targeting the /api/configs route
- Inspect responses from /api/configs for content patterns matching /etc/, private key headers, or shell history files
Monitoring Recommendations
- Forward Nginx UI access and audit logs to a centralized logging platform for retention and correlation
- Alert on any administrative configuration changes to the Nginx UI log path setting
- Track filesystem reads by the Nginx UI process against an allowlist of expected directories
How to Mitigate CVE-2024-49367
Immediate Actions Required
- Upgrade Nginx UI to version 2.0.0-beta.36 or later as released in v2.0.0-beta.36
- Restrict network access to the Nginx UI management interface using firewall rules or reverse proxy authentication
- Audit the Nginx UI host for evidence of unauthorized file reads since deployment
Patch Information
The maintainer released 2.0.0-beta.36 to address both the controllable log path and the /api/configs directory traversal. Operators running any 2.0.0-beta.x release prior to beta.36 must upgrade. Full release notes are available at the GitHub Release page.
Workarounds
- Place Nginx UI behind an authenticated reverse proxy and restrict /api/configs to trusted administrative IP addresses
- Run the Nginx UI process under a least-privilege user account with read access limited to required configuration directories
- Apply mandatory access controls such as AppArmor or SELinux profiles to confine Nginx UI filesystem access
# Example nginx reverse proxy restriction for the management interface
location /api/configs {
allow 10.0.0.0/8;
deny all;
proxy_pass http://127.0.0.1:9000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
