CVE-2024-49369Improper Certificate Validation in Icinga

CWE-295Improper Certificate Validation4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
22.5%
top 4.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Icinga Icinga2IcingaDebian Linux
Timeline
PublishedNov 12

Description

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11,

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDicinga/icinga2.4.02.11.12+3
Debianicinga/icinga2< 2.12.3-1+deb11u1+3
CVEListV5icinga/icinga24 versions+3

Also affects: Debian Linux 11.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
CVE-2024-49369: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for report2024-11-12
CVEList
Icinga 2 has a TLS Certificate Validation Bypass for JSON-RPC and HTTP API Connections2024-11-12

📋Vendor Advisories

1
Debian
CVE-2024-49369: icinga2 - Icinga is a monitoring system which checks the availability of network resources...2024
CVE-2024-49369 — Improper Certificate Validation | cvebase