CVE-2022-24716
published 2022-03-08CVE-2022-24716: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the…
PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.38%
99.8th percentile
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | icingaweb2 | < icingaweb2 2.9.6-1 (bookworm) | icingaweb2 2.9.6-1 (bookworm) |
| icinga | icinga_web_2 | >= 2.9.0 < 2.9.6 | 2.9.6 |
| icinga | icingaweb2 | — | — |
| icinga | icingaweb2 | >= 0 < 2.9.6-1 | 2.9.6-1 |
| icinga | icingaweb2 | >= 0 < 2.9.6-1 | 2.9.6-1 |
| icinga | icingaweb2 | >= 0 < 2.9.6-1 | 2.9.6-1 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: root:.*:0:0:
sigma↗
GET request to /lib/icinga/icinga-php-thirdparty/ (unauthenticated directory traversal)
- →Look for unauthenticated GET requests containing the path segment '/lib/icinga/icinga-php-thirdparty/' in HTTP access logs; any traversal beyond the library root (e.g., to /etc/passwd or /etc/icingaweb2/config.ini) is a strong indicator of exploitation. ↗
- →HTTP responses with Content-Type 'text/plain' to requests under /lib/icinga/icinga-php-thirdparty/ are a detection signal used by the Nuclei template for this CVE. ↗
- →Monitor for requests targeting sensitive Icinga Web 2 configuration files such as /etc/icingaweb2/config.ini via the traversal path, which may expose database credentials. ↗
- →Use Shodan/FOFA queries to identify exposed Icinga Web 2 instances for proactive asset identification: title:"Icinga Web 2 login". ↗
- ·The traversal vulnerability affects Icinga Web 2 versions 2.8.0–2.8.5 and 2.9.0–2.9.5 inclusive; versions 2.9.6 and 2.10+ are patched. Detection rules should scope version checks accordingly. ↗
- ·The exploit is unauthenticated — no session cookie or authentication header is required, so WAF/IDS rules should not require authenticated session context to fire. ↗
- ·The Nuclei template uses stop-at-first-match across three URL variants; detection logic should account for all three base path variants (/icinga2/, /icinga-web/, and root) to avoid missed detections. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-24716: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface
osv·2022-03-08·CVSS 7.5
CVE-2022-24716 [HIGH] CVE-2022-24716: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
VulnCheck
icinga icinga_web_2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2022·CVSS 7.5
CVE-2022-24716 [HIGH] icinga icinga_web_2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
icinga icinga_web_2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
Affected: icinga icinga_web_2
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=s
Debian
CVE-2022-24716: icingaweb2 - Icinga Web 2 is an open source monitoring web interface, framework and command-l...
vendor_debian·2022·CVSS 7.5
CVE-2022-24716 [HIGH] CVE-2022-24716: icingaweb2 - Icinga Web 2 is an open source monitoring web interface, framework and command-l...
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
Scope: local
bookworm: resolved (fixed in 2.9.6-1)
bullseye: resolved
forky: resolved (fixed in 2.9.6-1)
sid: resolved (fixed in 2.9.6-1)
trixie: resolved (fixed in 2.9.6-1)
No detection rules found.
Exploit-DB
Icinga Web 2.10 - Arbitrary File Disclosure
exploitdb·2023-04-08·CVSS 7.5
CVE-2022-24716 [HIGH] Icinga Web 2.10 - Arbitrary File Disclosure
Icinga Web 2.10 - Arbitrary File Disclosure
---
#!/usr/bin/env python3
# Exploit Title: Icinga Web 2.10 - Arbitrary File Disclosure
# Date: 2023-03-19
# Exploit Author: Jacob Ebben
# Vendor Homepage: https://icinga.com/
# Software Link: https://github.com/Icinga/icingaweb2
# Version: <2.8.6, <2.9.6, <2.10
# Tested on: Icinga Web 2 Version 2.9.2 on Linux
# CVE: CVE-2022-24716
# Based on: https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/
import argparse
import requests
from termcolor import colored
def print_message(message, type):
if type == 'SUCCESS':
print('[' + colored('SUCCESS', 'green') + '] ' + message)
elif type == 'INFO':
print('[' + colored('INFO', 'blue') + '] ' + message)
elif type == 'WARNING':
print('[' + colored('WARNING', 'yellow') + '] ' + m
Nuclei
Icinga Web 2 - Arbitrary File Disclosure
nuclei·CVSS 7.5
CVE-2022-24716 [HIGH] Icinga Web 2 - Arbitrary File Disclosure
Icinga Web 2 - Arbitrary File Disclosure
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials.
Template:
id: CVE-2022-24716
info:
name: Icinga Web 2 - Arbitrary File Disclosure
author: DhiyaneshDK
severity: high
description: |
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials.
impact: |
The vulnerability can lead to unauthorized access to sensitive info
Metasploit
Icingaweb Directory Traversal in Static Library File Requests
metasploit
Icingaweb Directory Traversal in Static Library File Requests
Icingaweb Directory Traversal in Static Library File Requests
Icingaweb versions from 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive suffer from an unauthenticated directory traversal vulnerability. The vulnerability is triggered through the icinga-php-thirdparty library, which allows unauthenticated users to retrieve arbitrary files from the targets filesystem via a GET request to /lib/icinga/icinga-php-thirdparty/ as the user running the Icingaweb server, which will typically be the www-data user. This can then be used to retrieve sensitive configuration information from the target such as the configuration of various services, which may reveal sensitive login or configuration information, the /etc/passwd file to get a list of valid usernames for password guessing attacks, or ot
http://packetstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.htmlhttps://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773dhttps://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frwhttps://security.gentoo.org/glsa/202208-05http://packetstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.htmlhttps://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773dhttps://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frwhttps://security.gentoo.org/glsa/202208-05
2022-03-08
Published
Exploited in the wild