CVE-2022-24715 Arbitrary code execution for authenticated users in Icinga Web 2

2022-03-0800:00:00

CWE-22

GitHub_M

www.cve.org

cve-2022-24715

arbitrary code execution

icinga web 2

authenticated users

ssh resource files

unintended directories

configuration access limit

CVSS3

8.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.004

Percentile

74.2%

JSON

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.

CNA Affected

[
  {
    "vendor": "Icinga",
    "product": "icingaweb2",
    "versions": [
      {
        "version": "< 2.8.6",
        "status": "affected"
      },
      {
        "version": ">= 2.9.0, < 2.9.6",
        "status": "affected"
      }
    ]
  }
]