CVE-2021-37698Improper Certificate Validation in Icinga

CWE-295Improper Certificate Validation4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 63.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Icinga Icinga2IcingaDebian Linux
Timeline
PublishedAug 19

Description

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should immediately upgrade

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDicinga/icinga2.5.02.11.10+2
Debianicinga/icinga2< 2.12.3-1+deb11u1+3
CVEListV5icinga/icinga2>= 2.5.0, <= 2.13.0

Also affects: Debian Linux 9.0

🔴Vulnerability Details

2
OSV
CVE-2021-37698: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for report2021-08-19
CVEList
Missing TLS service certificate validation in GelfWriter, ElasticsearchWriter, InfluxdbWriter and Influxdb2Writer2021-08-19

📋Vendor Advisories

1
Debian
CVE-2021-37698: icinga2 - Icinga is a monitoring system which checks the availability of network resources...2021
CVE-2021-37698 — Improper Certificate Validation | cvebase