{"id":"CVE-2024-49366","summary":"Nginx UI's json field can construct a directory traversal payload, causing arbitrary files to be written","details":"Nginx UI is a web user interface for the Nginx web server. Nginx UI v2.0.0-beta.35 and earlier gets the value from the json field without verification, and can construct a value value in the form of `../../`. Arbitrary files can be written to the server, which may result in loss of permissions. Version 2.0.0-beta.26 fixes the issue.","aliases":["GHSA-prv4-rx44-f7jr"],"modified":"2025-12-05T06:42:22.441262Z","published":"2024-10-21T16:12:00.495Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49366.json","cwe_ids":["CWE-22"]},"references":[{"type":"WEB","url":"https://github.com/0xJacky/nginx-ui/releases/tag/v2.0.0-beta.36"},{"type":"ADVISORY","url":"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-prv4-rx44-f7jr"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49366.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49366"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/0xjacky/nginx-ui","events":[{"introduced":"0"},{"fixed":"96cff98c66deba24a20fdde4c6722896f3617680"}]}],"versions":["v1.1.0","v1.2.0","v1.2.0-alpha.3","v1.2.0-alpha.4","v1.2.0-rc.1","v1.2.0-rc.2","v1.2.0-rc.3","v1.2.1","v1.2.2","v1.3.0","v1.3.0-rc1","v1.3.1","v1.3.1-fix","v1.3.2","v1.3.3-rc1","v1.4.0","v1.4.0-rc1","v1.4.1","v1.4.2","v1.5.0","v1.5.0-beta1","v1.5.0-beta2","v1.5.0-beta3","v1.5.0-beta4","v1.5.0-beta4-fix","v1.5.0-beta5","v1.5.0-beta6","v1.5.0-beta7","v1.5.0-beta8","v1.5.0-beta9","v1.5.1","v1.5.2","v1.6.0","v1.6.0-fix","v1.6.1","v1.6.2","v1.6.3","v1.6.5","v1.6.6","v1.6.7","v1.6.8","v1.7.0","v1.7.0-patch","v1.7.1","v1.7.2","v1.7.3","v1.7.4","v1.7.5","v1.7.6","v1.7.7","v1.7.8","v1.7.9","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.8.4","v1.8.4-patch","v1.9.9","v1.9.9-1","v1.9.9-2","v1.9.9-3","v1.9.9-4","v2.0.0-beta.1","v2.0.0-beta.10","v2.0.0-beta.10-patch","v2.0.0-beta.11","v2.0.0-beta.12","v2.0.0-beta.13","v2.0.0-beta.13-patch","v2.0.0-beta.14","v2.0.0-beta.15","v2.0.0-beta.16","v2.0.0-beta.17","v2.0.0-beta.18","v2.0.0-beta.18-patch.1","v2.0.0-beta.18-patch.2","v2.0.0-beta.19","v2.0.0-beta.2","v2.0.0-beta.20","v2.0.0-beta.21","v2.0.0-beta.22","v2.0.0-beta.23","v2.0.0-beta.23-patch.1","v2.0.0-beta.23-patch.2","v2.0.0-beta.24","v2.0.0-beta.25","v2.0.0-beta.25-patch.1","v2.0.0-beta.25-patch.2","v2.0.0-beta.26","v2.0.0-beta.27","v2.0.0-beta.28","v2.0.0-beta.29","v2.0.0-beta.3","v2.0.0-beta.30","v2.0.0-beta.31","v2.0.0-beta.32","v2.0.0-beta.32-patch.1","v2.0.0-beta.33","v2.0.0-beta.34","v2.0.0-beta.35","v2.0.0-beta.4","v2.0.0-beta.4-patch","v2.0.0-beta.5","v2.0.0-beta.5-patch","v2.0.0-beta.6","v2.0.0-beta.6-patch","v2.0.0-beta.6-patch.2","v2.0.0-beta.7","v2.0.0-beta.8","v2.0.0-beta.8-patch","v2.0.0-beta.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49366.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"}]}