Covered by FixVibecritical

LibreNMS 中的關鍵作業系統指令注入 (CVE-2024-51092) ZXCVFIXVIBESEND ZXCVFIXVIBESEG1 LibreNMS 版本 <= 24.9.1 容易受到經過驗證的作業系統指令注入 (CVE-2024-51092) 的攻擊。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG2 LibreNMS 24.9.1 先前的版本包含一個嚴重的作業系統指令注入漏洞 (CVE-2024-51092)。經過身份驗證的攻擊者可以在主機系統上執行任意命令，這可能會導致監控基礎設施遭到徹底破壞。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG3 ## 影響 ZXCVFIXVIBESEND ZXCVFIXVIBESEG4 LibreNMS 版本 24.9.1 及更早版本包含一個漏洞，允許經過驗證的使用者執行作業系統指令注入 CVE-2024-51092。成功利用此漏洞可以利用 Web 伺服器使用者 ZXCVFIXVIBETOKEN1ZXCV 的權限執行任意命令。這可能會導致整個系統遭到破壞、未經授權存取敏感監控數據，以及 LibreNMS ZXCVFIXVIBETOKEN2ZXCV 管理的網路基礎設施內潛在的橫向移動。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG5 ## 根本原因 ZXCVFIXVIBESEND ZXCVFIXVIBESEG6 此漏洞的根源在於在將使用者提供的輸入合併到作業系統命令 CVE-2024-51092 之前對其進行了不正確的中和。此缺陷分類為 ZXCVFIXVIBETOKEN3ZXCV ZXCVFIXVIBETOKEN1ZXCV。在受影響的版本中，特定的經過驗證的端點在將參數傳遞給系統級執行函數 ZXCVFIXVIBETOKEN2ZXCV 之前無法充分驗證或清理參數。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG7 ## 修復 ZXCVFIXVIBESEND ZXCVFIXVIBESEG8 使用者應將 LibreNMS 安裝升級至版本 24.10.0 或更高版本才能解決此問題 CVE-2024-51092。作為一般安全最佳實踐，對 LibreNMS 管理介面的存取應限制在使用防火牆或存取控制清單 (ACL) ZXCVFIXVIBETOKEN1ZXCV 的受信任網段。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG9 ## CVE-2024-51092 如何測試它 ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 ZXCVFIXVIBETOKEN4ZXCV 現在將其包含在 ZXCVFIXVIBETOKEN5ZXCV 儲存庫掃描中。檢查僅讀取授權儲存庫依賴文件，包括 CVE-2024-51092 和 ZXCVFIXVIBETOKEN1ZXCV。它標記 ZXCVFIXVIBETOKEN2ZXCV 鎖定版本或與受影響範圍 ZXCVFIXVIBETOKEN3ZXCV 匹配的約束，然後報告依賴文件、行號、建議 ID、受影響範圍和修復版本。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 這是靜態、唯讀的儲存庫檢查。它不執行客戶程式碼，也不發送漏洞利用負載。

LibreNMS versions up to 24.9.1 contain a critical OS command injection vulnerability (CVE-2024-51092). Authenticated attackers can execute arbitrary commands on the host system, potentially leading to total compromise of the monitoring infrastructure.

CVE-2024-51092GHSA-x645-6pf9-xwxwCWE-78

Impact

LibreNMS versions 24.9.1 and earlier contain a vulnerability that allows authenticated users to perform OS command injection [S2]. Successful exploitation enables the execution of arbitrary commands with the privileges of the web server user [S1]. This can lead to full system compromise, unauthorized access to sensitive monitoring data, and potential lateral movement within the network infrastructure managed by LibreNMS [S2].

Root Cause

The vulnerability is rooted in the improper neutralization of user-supplied input before it is incorporated into an operating system command [S1]. This flaw is classified as CWE-78 [S1]. In affected versions, specific authenticated endpoints fail to adequately validate or sanitize parameters before passing them to system-level execution functions [S2].

Remediation

Users should upgrade their LibreNMS installation to version 24.10.0 or later to resolve this issue [S2]. As a general security best practice, access to the LibreNMS administrative interface should be restricted to trusted network segments using firewalls or access control lists (ACLs) [S1].

How FixVibe tests for it

FixVibe now includes this in GitHub repo scans. The check reads authorized repository dependency files only, including composer.lock and composer.json. It flags librenms/librenms locked versions or constraints that match the affected range <=24.9.1, then reports the dependency file, line number, advisory IDs, affected range, and fixed version.

This is a static, read-only repo check. It does not execute customer code and does not send exploit payloads.