CVE-2021-32743Exposure of Sensitive Information Through Data Queries in Icinga2

CWE-202Exposure of Sensitive Information Through Data Queries4 documents4 sources
Severity
8.8HIGHNVD
EPSS
0.4%
top 42.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Icinga Icinga2IcingaDebian Linux
Timeline
PublishedJul 15

Description

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDicinga/icinga2.0.02.11.10+1
CVEListV5icinga/icinga2< 2.11.10+1
Debianicinga/icinga2< 2.12.3-1+deb11u1+3

Also affects: Debian Linux 9.0

🔴Vulnerability Details

2
OSV
CVE-2021-32743: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for report2021-07-15
CVEList
Passwords used to access external services inadvertently exposed through API2021-07-15

📋Vendor Advisories

1
Debian
CVE-2021-32743: icinga2 - Icinga is a monitoring system which checks the availability of network resources...2021
CVE-2021-32743 — Icinga Icinga2 vulnerability | cvebase