CVE-2022-24714 — Incorrect Authorization in Icingaweb2

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 43.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icinga Icingaweb2 Icinga WEB 2

Timeline

PublishedMar 8

Description

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5icinga/icingaweb2< 2.8.6+1

▶NVDicinga/icinga_web_22.9.0 — 2.9.6+1

▶Debianicinga/icingaweb2< 2.9.6-1+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Disclosure of hosts and related data, linked to decommissioned services in Icinga Web 2↗2022-03-08

▶

OSV

CVE-2022-24714: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface↗2022-03-08

▶

📋Vendor Advisories

Debian

CVE-2022-24714: icingaweb2 - Icinga Web 2 is an open source monitoring web interface, framework and command-l...↗2022

▶