Covered by FixVibecritical

LibreNMS 中的关键操作系统命令注入 (CVE-2024-51092) ZXCVFIXVIBESEND ZXCVFIXVIBESEG1 LibreNMS 版本 <= 24.9.1 容易受到经过身份验证的操作系统命令注入 (CVE-2024-51092) 的攻击。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG2 LibreNMS 24.9.1 之前的版本包含一个严重的操作系统命令注入漏洞 (CVE-2024-51092)。经过身份验证的攻击者可以在主机系统上执行任意命令，这可能会导致监控基础设施遭到彻底破坏。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG3 ## 影响 ZXCVFIXVIBESEND ZXCVFIXVIBESEG4 LibreNMS 版本 24.9.1 及更早版本包含一个漏洞，允许经过身份验证的用户执行操作系统命令注入 CVE-2024-51092。成功利用该漏洞可以利用 Web 服务器用户 ZXCVFIXVIBETOKEN1ZXCV 的权限执行任意命令。这可能会导致整个系统遭到破坏、未经授权访问敏感监控数据，以及 LibreNMS ZXCVFIXVIBETOKEN2ZXCV 管理的网络基础设施内潜在的横向移动。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG5 ## 根本原因 ZXCVFIXVIBESEND ZXCVFIXVIBESEG6 该漏洞的根源在于在将用户提供的输入合并到操作系统命令 CVE-2024-51092 之前对其进行了不正确的中和。此缺陷被分类为 ZXCVFIXVIBETOKEN3ZXCV ZXCVFIXVIBETOKEN1ZXCV。在受影响的版本中，特定的经过身份验证的端点在将参数传递给系统级执行函数 ZXCVFIXVIBETOKEN2ZXCV 之前无法充分验证或清理参数。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG7 ## 修复 ZXCVFIXVIBESEND ZXCVFIXVIBESEG8 用户应将 LibreNMS 安装升级到版本 24.10.0 或更高版本才能解决此问题 CVE-2024-51092。作为一般安全最佳实践，对 LibreNMS 管理界面的访问应限制在使用防火墙或访问控制列表 (ACL) ZXCVFIXVIBETOKEN1ZXCV 的受信任网段。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG9 ## CVE-2024-51092 如何测试它 ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 ZXCVFIXVIBETOKEN4ZXCV 现在将其包含在 ZXCVFIXVIBETOKEN5ZXCV 存储库扫描中。检查仅读取授权存储库依赖文件，包括 CVE-2024-51092 和 ZXCVFIXVIBETOKEN1ZXCV。它标记 ZXCVFIXVIBETOKEN2ZXCV 锁定版本或与受影响范围 ZXCVFIXVIBETOKEN3ZXCV 匹配的约束，然后报告依赖文件、行号、建议 ID、受影响范围和修复版本。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 这是静态、只读的存储库检查。它不执行客户代码，也不发送漏洞利用负载。

LibreNMS versions up to 24.9.1 contain a critical OS command injection vulnerability (CVE-2024-51092). Authenticated attackers can execute arbitrary commands on the host system, potentially leading to total compromise of the monitoring infrastructure.

CVE-2024-51092GHSA-x645-6pf9-xwxwCWE-78

Impact

LibreNMS versions 24.9.1 and earlier contain a vulnerability that allows authenticated users to perform OS command injection [S2]. Successful exploitation enables the execution of arbitrary commands with the privileges of the web server user [S1]. This can lead to full system compromise, unauthorized access to sensitive monitoring data, and potential lateral movement within the network infrastructure managed by LibreNMS [S2].

Root Cause

The vulnerability is rooted in the improper neutralization of user-supplied input before it is incorporated into an operating system command [S1]. This flaw is classified as CWE-78 [S1]. In affected versions, specific authenticated endpoints fail to adequately validate or sanitize parameters before passing them to system-level execution functions [S2].

Remediation

Users should upgrade their LibreNMS installation to version 24.10.0 or later to resolve this issue [S2]. As a general security best practice, access to the LibreNMS administrative interface should be restricted to trusted network segments using firewalls or access control lists (ACLs) [S1].

How FixVibe tests for it

FixVibe now includes this in GitHub repo scans. The check reads authorized repository dependency files only, including composer.lock and composer.json. It flags librenms/librenms locked versions or constraints that match the affected range <=24.9.1, then reports the dependency file, line number, advisory IDs, affected range, and fixed version.

This is a static, read-only repo check. It does not execute customer code and does not send exploit payloads.