Search criteria
18 vulnerabilities found for icingaweb2 by Icinga
CVE-2025-30164 (GCVE-0-2025-30164)
Vulnerability from cvelistv5 – Published: 2025-03-26 16:13 – Updated: 2025-05-12 15:41
VLAI?
Title
Icinga Web 2 has open redirect on login page
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to authenticate), allows to manipulate the backend to redirect the user to any location. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. No known workarounds are available.
Severity ?
4.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
< 2.11.5
Affected: >= 2.12.0, < 2.12.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T17:11:13.990106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T15:41:08.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.5"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to authenticate), allows to manipulate the backend to redirect the user to any location. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T16:13:26.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-8r73-6686-wv8q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-8r73-6686-wv8q"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3"
}
],
"source": {
"advisory": "GHSA-8r73-6686-wv8q",
"discovery": "UNKNOWN"
},
"title": "Icinga Web 2 has open redirect on login page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30164",
"datePublished": "2025-03-26T16:13:26.590Z",
"dateReserved": "2025-03-17T12:41:42.567Z",
"dateUpdated": "2025-05-12T15:41:08.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27609 (GCVE-0-2025-27609)
Vulnerability from cvelistv5 – Published: 2025-03-26 16:10 – Updated: 2025-03-26 18:05
VLAI?
Title
Icinga Web 2 Vulnerable to Reflected XSS
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
< 2.11.5
Affected: >= 2.12.0, < 2.12.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27609",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T17:11:55.741138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T18:05:36.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.5"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim\u0027s Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 1.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T16:10:19.223Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5cjw-fwjc-8j38",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5cjw-fwjc-8j38"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3"
}
],
"source": {
"advisory": "GHSA-5cjw-fwjc-8j38",
"discovery": "UNKNOWN"
},
"title": "Icinga Web 2 Vulnerable to Reflected XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27609",
"datePublished": "2025-03-26T16:10:19.223Z",
"dateReserved": "2025-03-03T15:10:34.079Z",
"dateUpdated": "2025-03-26T18:05:36.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27405 (GCVE-0-2025-27405)
Vulnerability from cvelistv5 – Published: 2025-03-26 15:10 – Updated: 2025-03-26 15:57
VLAI?
Title
Icinga Web 2 has XSS in embedded content
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
Severity ?
7.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
< 2.11.5
Affected: >= 2.12.0, < 2.12.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27405",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T15:32:25.389310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T15:57:52.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.5"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T15:10:10.288Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3"
}
],
"source": {
"advisory": "GHSA-3x37-fjc3-ch8w",
"discovery": "UNKNOWN"
},
"title": "Icinga Web 2 has XSS in embedded content"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27405",
"datePublished": "2025-03-26T15:10:10.288Z",
"dateReserved": "2025-02-24T15:51:17.267Z",
"dateUpdated": "2025-03-26T15:57:52.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27404 (GCVE-0-2025-27404)
Vulnerability from cvelistv5 – Published: 2025-03-26 14:21 – Updated: 2025-03-26 15:10
VLAI?
Title
Icinga Web 2 DOM-based XSS vulnerability
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
Severity ?
7.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
< 2.11.5
Affected: >= 2.12.0, < 2.12.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27404",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T14:53:16.085511Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T14:53:31.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.5"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T15:10:01.679Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-c6pg-h955-wf66",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-c6pg-h955-wf66"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3"
}
],
"source": {
"advisory": "GHSA-c6pg-h955-wf66",
"discovery": "UNKNOWN"
},
"title": "Icinga Web 2 DOM-based XSS vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27404",
"datePublished": "2025-03-26T14:21:05.363Z",
"dateReserved": "2025-02-24T15:51:17.267Z",
"dateUpdated": "2025-03-26T15:10:01.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24714 (GCVE-0-2022-24714)
Vulnerability from cvelistv5 – Published: 2022-03-08 19:55 – Updated: 2025-04-23 18:56
VLAI?
Title
Disclosure of hosts and related data, linked to decommissioned services in Icinga Web 2
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
< 2.8.6
Affected: >= 2.9.0, < 2.9.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293"
},
{
"name": "GLSA-202208-05",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-05"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:56:55.321447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:56:46.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.8.6"
},
{
"status": "affected",
"version": "\u003e= 2.9.0, \u003c 2.9.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T15:13:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293"
},
{
"name": "GLSA-202208-05",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-05"
}
],
"source": {
"advisory": "GHSA-qcmg-vr56-x9wf",
"discovery": "UNKNOWN"
},
"title": "Disclosure of hosts and related data, linked to decommissioned services in Icinga Web 2",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24714",
"STATE": "PUBLIC",
"TITLE": "Disclosure of hosts and related data, linked to decommissioned services in Icinga Web 2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "icingaweb2",
"version": {
"version_data": [
{
"version_value": "\u003c 2.8.6"
},
{
"version_value": "\u003e= 2.9.0, \u003c 2.9.6"
}
]
}
}
]
},
"vendor_name": "Icinga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863: Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf",
"refsource": "CONFIRM",
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf"
},
{
"name": "https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293"
},
{
"name": "GLSA-202208-05",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-05"
}
]
},
"source": {
"advisory": "GHSA-qcmg-vr56-x9wf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24714",
"datePublished": "2022-03-08T19:55:09.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:56:46.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24715 (GCVE-0-2022-24715)
Vulnerability from cvelistv5 – Published: 2022-03-08 00:00 – Updated: 2025-04-23 18:58
VLAI?
Title
Arbitrary code execution for authenticated users in Icinga Web 2
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
Severity ?
8.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
< 2.8.6
Affected: >= 2.9.0, < 2.9.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb"
},
{
"name": "GLSA-202208-05",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-05"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:55:25.530365Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:58:50.966Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.8.6"
},
{
"status": "affected",
"version": "\u003e= 2.9.0, \u003c 2.9.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63"
},
{
"url": "https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb"
},
{
"name": "GLSA-202208-05",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202208-05"
},
{
"url": "http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.html"
}
],
"source": {
"advisory": "GHSA-v9mv-h52f-7g63",
"discovery": "UNKNOWN"
},
"title": "Arbitrary code execution for authenticated users in Icinga Web 2"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24715",
"datePublished": "2022-03-08T00:00:00.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:58:50.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24716 (GCVE-0-2022-24716)
Vulnerability from cvelistv5 – Published: 2022-03-08 00:00 – Updated: 2025-04-23 18:58
VLAI?
Title
Path traversal in Icinga Web 2
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
Severity ?
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
>= 2.9.0, < 2.9.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d"
},
{
"name": "GLSA-202208-05",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-05"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:57:07.715188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:58:45.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9.0, \u003c 2.9.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-10T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw"
},
{
"url": "https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d"
},
{
"name": "GLSA-202208-05",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202208-05"
},
{
"url": "http://packetstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.html"
}
],
"source": {
"advisory": "GHSA-5p3f-rh28-8frw",
"discovery": "UNKNOWN"
},
"title": "Path traversal in Icinga Web 2"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24716",
"datePublished": "2022-03-08T00:00:00.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:58:45.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32747 (GCVE-0-2021-32747)
Vulnerability from cvelistv5 – Published: 2021-07-12 22:50 – Updated: 2024-08-03 23:33
VLAI?
Title
Custom variable protection and blacklists can be circumvented
Summary
Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it's possible to setup protection rules and blacklists in a user's role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
>= 2.0.0, <= 2.8.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.787Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it\u0027s possible to setup protection rules and blacklists in a user\u0027s role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-12T22:50:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx"
}
],
"source": {
"advisory": "GHSA-2xv9-886q-p7xx",
"discovery": "UNKNOWN"
},
"title": "Custom variable protection and blacklists can be circumvented",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32747",
"STATE": "PUBLIC",
"TITLE": "Custom variable protection and blacklists can be circumvented"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "icingaweb2",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.0.0, \u003c= 2.8.2"
}
]
}
}
]
},
"vendor_name": "Icinga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it\u0027s possible to setup protection rules and blacklists in a user\u0027s role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0"
},
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx",
"refsource": "CONFIRM",
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx"
}
]
},
"source": {
"advisory": "GHSA-2xv9-886q-p7xx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32747",
"datePublished": "2021-07-12T22:50:11",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32746 (GCVE-0-2021-32746)
Vulnerability from cvelistv5 – Published: 2021-07-12 22:25 – Updated: 2024-08-03 23:33
VLAI?
Title
Possible path traversal by use of the `doc` module
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
>= 2.3.0, <= 2.8.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:54.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c= 2.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-12T22:25:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0"
}
],
"source": {
"advisory": "GHSA-cmgc-h4cx-3v43",
"discovery": "UNKNOWN"
},
"title": "Possible path traversal by use of the `doc` module",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32746",
"STATE": "PUBLIC",
"TITLE": "Possible path traversal by use of the `doc` module"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "icingaweb2",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.3.0, \u003c= 2.8.2"
}
]
}
}
]
},
"vendor_name": "Icinga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43",
"refsource": "CONFIRM",
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0"
}
]
},
"source": {
"advisory": "GHSA-cmgc-h4cx-3v43",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32746",
"datePublished": "2021-07-12T22:25:11",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:54.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30164 (GCVE-0-2025-30164)
Vulnerability from nvd – Published: 2025-03-26 16:13 – Updated: 2025-05-12 15:41
VLAI?
Title
Icinga Web 2 has open redirect on login page
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to authenticate), allows to manipulate the backend to redirect the user to any location. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. No known workarounds are available.
Severity ?
4.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
< 2.11.5
Affected: >= 2.12.0, < 2.12.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T17:11:13.990106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T15:41:08.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.5"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 vulnerability allows an attacker to craft a URL that, once visited by an authenticated user (or one that is able to authenticate), allows to manipulate the backend to redirect the user to any location. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T16:13:26.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-8r73-6686-wv8q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-8r73-6686-wv8q"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3"
}
],
"source": {
"advisory": "GHSA-8r73-6686-wv8q",
"discovery": "UNKNOWN"
},
"title": "Icinga Web 2 has open redirect on login page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30164",
"datePublished": "2025-03-26T16:13:26.590Z",
"dateReserved": "2025-03-17T12:41:42.567Z",
"dateUpdated": "2025-05-12T15:41:08.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27609 (GCVE-0-2025-27609)
Vulnerability from nvd – Published: 2025-03-26 16:10 – Updated: 2025-03-26 18:05
VLAI?
Title
Icinga Web 2 Vulnerable to Reflected XSS
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
< 2.11.5
Affected: >= 2.12.0, < 2.12.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27609",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T17:11:55.741138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T18:05:36.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.5"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim\u0027s Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 1.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T16:10:19.223Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5cjw-fwjc-8j38",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5cjw-fwjc-8j38"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3"
}
],
"source": {
"advisory": "GHSA-5cjw-fwjc-8j38",
"discovery": "UNKNOWN"
},
"title": "Icinga Web 2 Vulnerable to Reflected XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27609",
"datePublished": "2025-03-26T16:10:19.223Z",
"dateReserved": "2025-03-03T15:10:34.079Z",
"dateUpdated": "2025-03-26T18:05:36.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27405 (GCVE-0-2025-27405)
Vulnerability from nvd – Published: 2025-03-26 15:10 – Updated: 2025-03-26 15:57
VLAI?
Title
Icinga Web 2 has XSS in embedded content
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
Severity ?
7.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
< 2.11.5
Affected: >= 2.12.0, < 2.12.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27405",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T15:32:25.389310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T15:57:52.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.5"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T15:10:10.288Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-3x37-fjc3-ch8w"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3"
}
],
"source": {
"advisory": "GHSA-3x37-fjc3-ch8w",
"discovery": "UNKNOWN"
},
"title": "Icinga Web 2 has XSS in embedded content"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27405",
"datePublished": "2025-03-26T15:10:10.288Z",
"dateReserved": "2025-02-24T15:51:17.267Z",
"dateUpdated": "2025-03-26T15:57:52.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27404 (GCVE-0-2025-27404)
Vulnerability from nvd – Published: 2025-03-26 14:21 – Updated: 2025-03-26 15:10
VLAI?
Title
Icinga Web 2 DOM-based XSS vulnerability
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
Severity ?
7.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
< 2.11.5
Affected: >= 2.12.0, < 2.12.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27404",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T14:53:16.085511Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T14:53:31.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.5"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T15:10:01.679Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-c6pg-h955-wf66",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-c6pg-h955-wf66"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.11.5"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.12.3"
}
],
"source": {
"advisory": "GHSA-c6pg-h955-wf66",
"discovery": "UNKNOWN"
},
"title": "Icinga Web 2 DOM-based XSS vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27404",
"datePublished": "2025-03-26T14:21:05.363Z",
"dateReserved": "2025-02-24T15:51:17.267Z",
"dateUpdated": "2025-03-26T15:10:01.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24714 (GCVE-0-2022-24714)
Vulnerability from nvd – Published: 2022-03-08 19:55 – Updated: 2025-04-23 18:56
VLAI?
Title
Disclosure of hosts and related data, linked to decommissioned services in Icinga Web 2
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
< 2.8.6
Affected: >= 2.9.0, < 2.9.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293"
},
{
"name": "GLSA-202208-05",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-05"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:56:55.321447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:56:46.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.8.6"
},
{
"status": "affected",
"version": "\u003e= 2.9.0, \u003c 2.9.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T15:13:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293"
},
{
"name": "GLSA-202208-05",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-05"
}
],
"source": {
"advisory": "GHSA-qcmg-vr56-x9wf",
"discovery": "UNKNOWN"
},
"title": "Disclosure of hosts and related data, linked to decommissioned services in Icinga Web 2",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24714",
"STATE": "PUBLIC",
"TITLE": "Disclosure of hosts and related data, linked to decommissioned services in Icinga Web 2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "icingaweb2",
"version": {
"version_data": [
{
"version_value": "\u003c 2.8.6"
},
{
"version_value": "\u003e= 2.9.0, \u003c 2.9.6"
}
]
}
}
]
},
"vendor_name": "Icinga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863: Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf",
"refsource": "CONFIRM",
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf"
},
{
"name": "https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293"
},
{
"name": "GLSA-202208-05",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-05"
}
]
},
"source": {
"advisory": "GHSA-qcmg-vr56-x9wf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24714",
"datePublished": "2022-03-08T19:55:09.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:56:46.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24715 (GCVE-0-2022-24715)
Vulnerability from nvd – Published: 2022-03-08 00:00 – Updated: 2025-04-23 18:58
VLAI?
Title
Arbitrary code execution for authenticated users in Icinga Web 2
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
Severity ?
8.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
< 2.8.6
Affected: >= 2.9.0, < 2.9.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb"
},
{
"name": "GLSA-202208-05",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-05"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:55:25.530365Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:58:50.966Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.8.6"
},
{
"status": "affected",
"version": "\u003e= 2.9.0, \u003c 2.9.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63"
},
{
"url": "https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb"
},
{
"name": "GLSA-202208-05",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202208-05"
},
{
"url": "http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.html"
}
],
"source": {
"advisory": "GHSA-v9mv-h52f-7g63",
"discovery": "UNKNOWN"
},
"title": "Arbitrary code execution for authenticated users in Icinga Web 2"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24715",
"datePublished": "2022-03-08T00:00:00.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:58:50.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24716 (GCVE-0-2022-24716)
Vulnerability from nvd – Published: 2022-03-08 00:00 – Updated: 2025-04-23 18:58
VLAI?
Title
Path traversal in Icinga Web 2
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
Severity ?
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
>= 2.9.0, < 2.9.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d"
},
{
"name": "GLSA-202208-05",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-05"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:57:07.715188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:58:45.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9.0, \u003c 2.9.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-10T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw"
},
{
"url": "https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d"
},
{
"name": "GLSA-202208-05",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202208-05"
},
{
"url": "http://packetstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.html"
}
],
"source": {
"advisory": "GHSA-5p3f-rh28-8frw",
"discovery": "UNKNOWN"
},
"title": "Path traversal in Icinga Web 2"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24716",
"datePublished": "2022-03-08T00:00:00.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:58:45.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32747 (GCVE-0-2021-32747)
Vulnerability from nvd – Published: 2021-07-12 22:50 – Updated: 2024-08-03 23:33
VLAI?
Title
Custom variable protection and blacklists can be circumvented
Summary
Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it's possible to setup protection rules and blacklists in a user's role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
>= 2.0.0, <= 2.8.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.787Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it\u0027s possible to setup protection rules and blacklists in a user\u0027s role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-12T22:50:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx"
}
],
"source": {
"advisory": "GHSA-2xv9-886q-p7xx",
"discovery": "UNKNOWN"
},
"title": "Custom variable protection and blacklists can be circumvented",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32747",
"STATE": "PUBLIC",
"TITLE": "Custom variable protection and blacklists can be circumvented"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "icingaweb2",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.0.0, \u003c= 2.8.2"
}
]
}
}
]
},
"vendor_name": "Icinga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it\u0027s possible to setup protection rules and blacklists in a user\u0027s role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected routes, Icinga Web 2 will show these columns additionally in the respective list. This parameter is also respected when exporting to JSON or CSV. Protection rules and blacklists however have no effect in this case. Custom variables are shown as-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one may set up a restriction to hide hosts and services with the custom variable in question."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0"
},
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx",
"refsource": "CONFIRM",
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx"
}
]
},
"source": {
"advisory": "GHSA-2xv9-886q-p7xx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32747",
"datePublished": "2021-07-12T22:50:11",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32746 (GCVE-0-2021-32746)
Vulnerability from nvd – Published: 2021-07-12 22:25 – Updated: 2024-08-03 23:33
VLAI?
Title
Possible path traversal by use of the `doc` module
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingaweb2 |
Affected:
>= 2.3.0, <= 2.8.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:54.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "icingaweb2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c= 2.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-12T22:25:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0"
}
],
"source": {
"advisory": "GHSA-cmgc-h4cx-3v43",
"discovery": "UNKNOWN"
},
"title": "Possible path traversal by use of the `doc` module",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32746",
"STATE": "PUBLIC",
"TITLE": "Possible path traversal by use of the `doc` module"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "icingaweb2",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.3.0, \u003c= 2.8.2"
}
]
}
}
]
},
"vendor_name": "Icinga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43",
"refsource": "CONFIRM",
"url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3"
},
{
"name": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0",
"refsource": "MISC",
"url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0"
}
]
},
"source": {
"advisory": "GHSA-cmgc-h4cx-3v43",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32746",
"datePublished": "2021-07-12T22:25:11",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:54.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}