CVE-2018-18249 — Code Injection in WEB 2

CWE-94 — Code Injection7 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 33.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icinga Icingaweb2 Icinga WEB 2

Timeline

PublishedDec 17

Latest updateMay 13

Description

Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDicinga/icinga_web_2< 2.6.2

▶Debianicinga/icingaweb2< 2.6.2-1+3

🔴Vulnerability Details

GHSA

GHSA-h88r-wm6r-9ghp: Icinga Web 2 before 2↗2022-05-13

▶

OSV

linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities↗2019-04-02

▶

OSV

linux-lts-xenial, linux-aws vulnerabilities↗2019-04-02

▶

CVEList

CVE-2018-18249: Icinga Web 2 before 2↗2018-12-17

▶

OSV

CVE-2018-18249: Icinga Web 2 before 2↗2018-12-17

▶

📋Vendor Advisories

Debian

CVE-2018-18249: icingaweb2 - Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vector...↗2018

▶