CVE-2022-24715

2022-03-0820:15:07

Debian Security Bug Tracker

security-tracker.debian.org

icinga web 2

monitoring

ssh

arbitrary code execution

configuration

security flaw

unintended directories

upgrade limitation

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

74.2%

JSON

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.

OSVersionArchitecturePackageVersionFilename
Debian12allicingaweb2< 2.9.6-1icingaweb2_2.9.6-1_all.deb
Debian11allicingaweb2<= 2.8.2-2icingaweb2_2.8.2-2_all.deb
Debian999allicingaweb2< 2.9.6-1icingaweb2_2.9.6-1_all.deb
Debian13allicingaweb2< 2.9.6-1icingaweb2_2.9.6-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	icingaweb2	< 2.9.6-1	icingaweb2_2.9.6-1_all.deb
Debian	11	all	icingaweb2	<= 2.8.2-2	icingaweb2_2.8.2-2_all.deb
Debian	999	all	icingaweb2	< 2.9.6-1	icingaweb2_2.9.6-1_all.deb
Debian	13	all	icingaweb2	< 2.9.6-1	icingaweb2_2.9.6-1_all.deb