Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-24715 — Path Traversal in Icingaweb2

CWE-22 — Path Traversal5 documents5 sources

Severity

8.8HIGHNVD

CNA8.5

EPSS

72.5%

top 1.23%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Icinga Icingaweb2 Icinga WEB 2

Timeline

PublishedMar 8

Latest updateJul 15

Description

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5icinga/icingaweb2< 2.8.6+1

▶NVDicinga/icinga_web_22.9.0 — 2.9.6+1

▶Debianicinga/icingaweb2< 2.9.6-1+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Arbitrary code execution for authenticated users in Icinga Web 2↗2022-03-08

▶

OSV

CVE-2022-24715: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface↗2022-03-08

▶

💥Exploits & PoCs

Exploit-DB

Icinga Web 2.10 - Authenticated Remote Code Execution↗2023-07-15

▶

📋Vendor Advisories

Debian

CVE-2022-24715: icingaweb2 - Icinga Web 2 is an open source monitoring web interface, framework and command-l...↗2022

▶