CVE-2021-32746
Published: 12 July 2021
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.
Priority
Status
Package | Release | Status |
---|---|---|
icingaweb2 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
groovy |
Ignored
(end of life)
|
|
xenial |
Needs triage
|
|
impish |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
jammy |
Needs triage
|
|
mantic |
Needs triage
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Network |
Attack complexity | High |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32746
- https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43
- https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5
- https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3
- https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0
- NVD
- Launchpad
- Debian