Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-24716Path Traversal in WEB 2

CWE-22Path Traversal7 documents7 sources
Severity
7.5HIGHNVD
EPSS
93.1%
top 0.20%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Icinga Icingaweb2Icinga WEB 2
Timeline
PublishedMar 8
Latest updateApr 8

Description

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDicinga/icinga_web_22.9.02.9.6
Debianicinga/icingaweb2< 2.9.6-1+2
CVEListV5icinga/icingaweb2>= 2.9.0, < 2.9.6

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
Path traversal in Icinga Web 22022-03-08
OSV
CVE-2022-24716: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface2022-03-08
VulnCheck
icinga icinga_web_2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')2022

💥Exploits & PoCs

2
Exploit-DB
Icinga Web 2.10 - Arbitrary File Disclosure2023-04-08
Nuclei
Icinga Web 2 - Arbitrary File Disclosure

📋Vendor Advisories

1
Debian
CVE-2022-24716: icingaweb2 - Icinga Web 2 is an open source monitoring web interface, framework and command-l...2022
CVE-2022-24716 — Path Traversal in Icinga WEB 2 | cvebase