FixVibe
Covered by FixVibecritical

ZXCVVAKATAWASEWASEGI0. Na ivakaro bibi ni OS ena LibreNMS (ZXCV ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE1 LibreNMS vakadewa <= 24.9.1 era sa vakaleqai tu ena veivakadeitaki ni OS ivakaro ni veivakabulabulataki (ZXCVvakacacani 0ZXCV). ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE2. LibreNMS vakadewataki me yacova na 24.9.1 e tiko kina e dua na OS bibi ni ivakaro ni veivakacacani ni veivakacacani ( Na dauvakacaca vakadeitaki e rawa ni vakayacora na ivakaro vakatani ena ivakarau ni mataivalu, ka rawa ni vakavuna na vakacacani taucoko ni veivakatorocaketaki ni veiqaravi. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE3. ## Veivakaleqai ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE4. LibreNMS vakadewa 24.9.1 kei na kena e liu e tiko kina e dua na malumalumu ka rawa kina vei ira na vakayagataki vakadeitaki me ra vakayacora na OS ivakaro ni veisele. Na vakayagataki ni rawaka e rawa kina na vakayacori ni ivakaro ni veivakaduiduitaki kei na dodonu ni vakayagataki ni itukutuku ni veiqaravi ZXCVFIXVIBETOKEN1ZXCV. Oqo e rawa ni vakavuna na vakacacani taucoko ni ivakarau, sega ni vakadonui na curu ki na itukutuku ni vakadidike bibi, kei na rawa ni toso lateral ena loma ni veivakatorocaketaki ni rede e qarava na LibreNMS ZXCVFIXVIBETOKEN2ZXCV. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEGA5. ## Vuna ZXCVVAKATAWASEWASEI ZXCVVAKAVUVULI6. Na malumalumu e vakayavutaki ena sega ni dodonu na neutralization ni vakayagataki-vakarautaki na vakacurumi ni bera ni vakacurumi ki na dua na ivakaro ni ivakarau ni cakacaka CVE-2024-51092. Na cala oqo e vakatokai me vaka na ZXCVvakavinakataka na veivakabulabulataki1ZXCV. Ena veivakadewataki e vakaleqai, na itinitini vakadeitaki vakatabakidua e sega ni rawa ni vakadeitaka vakavinaka se vakasavasavataka na paramita ni bera ni vakadewataki ira ki na cakacaka ni veivakamatei ni ivakatagedegede ni ivakarau ZXCVFIXVIBETOKEN2ZXCV. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE77. ## Veivakadodonutaki ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEG8. E dodonu me ra vakatorocaketaka na vakayagataki na nodra vakacurumi ni LibreNMS ki na vakadewa 24.10.0 se e muri me wali kina na leqa oqo. Me vaka e dua na iwalewale vinaka duadua ni veitaqomaki raraba, na curu ki na LibreNMS ni veiliutaki ni veitaratara e dodonu me vakatabui ki na veitiki ni rede nuitaki ena kena vakayagataki na firewalls se na lisi ni lewa ni curu (ACLs) ZXCVFIXVIBETOKEN1ZXCV. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASE9. ## Na sala e vakatovolei kina ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI10 ZXCVFIXVIBETOKEN4ZXCV ena gauna oqo e oka kina oqo ena ZXCVFIXVIBETOKEN5ZXCV vakadidike ni repo. Na jeke e wilika na faile ni vakararavi ni maroroi vakadonui duadua ga, oka kina na CVE-2024-51092 kei na ZXCVFIXVIBETOKEN1ZXCV. E vakatakilakilataka na ZXCVFIXVIBETOKEN2ZXCV lokataki na vakadewa se veivakasaurarataki e veiganiti kei na vakacacani ni ZXCVFIXVIBETOKEN3ZXCV, qai ripotetaka na faile ni vakararavi, naba ni laini, IDs ni veivakasalataki, vakacacani na vakadewa, kei na vakadewa tudei. ZXCVVAKATAWASEWASEI ZXCVVAKATAWASEWASEI11 Oqo e dua na jeke ni repo tudei, wili-ga. E sega ni vakayacora na kode ni kasitama ka sega ni vakauta na payloads ni vakayagataki.

LibreNMS versions up to 24.9.1 contain a critical OS command injection vulnerability (CVE-2024-51092). Authenticated attackers can execute arbitrary commands on the host system, potentially leading to total compromise of the monitoring infrastructure.

CVE-2024-51092GHSA-x645-6pf9-xwxwCWE-78

Impact

LibreNMS versions 24.9.1 and earlier contain a vulnerability that allows authenticated users to perform OS command injection [S2]. Successful exploitation enables the execution of arbitrary commands with the privileges of the web server user [S1]. This can lead to full system compromise, unauthorized access to sensitive monitoring data, and potential lateral movement within the network infrastructure managed by LibreNMS [S2].

Root Cause

The vulnerability is rooted in the improper neutralization of user-supplied input before it is incorporated into an operating system command [S1]. This flaw is classified as CWE-78 [S1]. In affected versions, specific authenticated endpoints fail to adequately validate or sanitize parameters before passing them to system-level execution functions [S2].

Remediation

Users should upgrade their LibreNMS installation to version 24.10.0 or later to resolve this issue [S2]. As a general security best practice, access to the LibreNMS administrative interface should be restricted to trusted network segments using firewalls or access control lists (ACLs) [S1].

How FixVibe tests for it

FixVibe now includes this in GitHub repo scans. The check reads authorized repository dependency files only, including composer.lock and composer.json. It flags librenms/librenms locked versions or constraints that match the affected range <=24.9.1, then reports the dependency file, line number, advisory IDs, affected range, and fixed version.

This is a static, read-only repo check. It does not execute customer code and does not send exploit payloads.