CVE-2022-24715
8.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Icinga | icingaweb2 | < 2.8.6 | affected |
| Icinga | icingaweb2 | >= 2.9.0, < 2.9.6 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
- https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb
- https://security.gentoo.org/glsa/202208-05
- http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
- https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb
- https://security.gentoo.org/glsa/202208-05
- http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.