CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
75.0%
This update for icingaweb2 to version 2.7.3 fixes the following issues :
icingaweb2 update to 2.7.3 :
icingaweb2 update to 2.7.2 :
icingaweb2 update to 2.7.1 :
Highlight links in the notes of an object
Fixed an issue where sort rules were no longer working
Fixed an issue where statistics were shown with an anarchist way
Fixed an issue where wildcards could no show results
icingaweb2 update to 2.7.0 :
New languages support
Now module developers got additional ways to customize Icinga Web 2
UI enhancements
icingaweb2 update to 2.6.3 :
Fixed various issues with LDAP
Fixed issues with timezone
UI enhancements
Stability fixes
icingaweb2 update to 2.6.2 :
You can find issues and features related to this release on our Roadmap. This bugfix release addresses the following topics :
Database connections to MySQL 8 no longer fail
LDAP connections now have a timeout configuration which defaults to 5 seconds
User groups are now correctly loaded for externally authenticated users
Filters are respected for all links in the host and service group overviews
Fixed permission problems where host and service actions provided by modules were missing
Fixed a SQL error in the contact list view when filtering for host groups
Fixed time zone (DST) detection
Fixed the contact details view if restrictions are active
Doc parser and documentation fixes
Fix security issues :
CVE-2018-18246: fixed an CSRF in moduledisable (boo#1119784)
CVE-2018-18247: fixed an XSS via /icingaweb2/navigation/add (boo#1119785)
CVE-2018-18248: fixed an XSS attack is possible via query strings or a dir parameter (boo#1119801)
CVE-2018-18249: fixed an injection of PHP ini-file directives involves environment variables as channel to send out information (boo#1119799)
CVE-2018-18250: fixed parameters that can break navigation dashlets (boo#1119800)
Remove setuid from new upstream spec file for following dirs :
/etc/icingaweb2, /etc/icingaweb/modules, /etc/icingaweb2/modules/setup, /etc/icingaweb2/modules/translation, /var/log/icingaweb2
icingaweb2 updated to 2.6.1 :
You can find issues and features related to this release on our [Roadmap](https://github.com/Icinga/icingaweb2/milestone /51?closed=1).
The command audit now logs a command’s payload as JSON which fixes a bug that has been introduced in version 2.6.0.
icingaweb2 was updated to 2.6.0 :
You can find issues and features related to this release on our Roadmap.
Enabling you to do stuff you couldn’t before
Support for PHP 7.2 added
Support for SQLite resources added
Login and Command (monitoring) auditing added with the help of a dedicated module
Pluginoutput rendering is now hookable by modules which allows to render custom icons, emojis and … cute kitties :octocat :
Avoiding that you miss something
It’s now possible to toggle between list- and grid-mode for the host- and servicegroup overviews
The servicegrid now supports to flip its axes which allows it to be put into a landscape mode
Contacts only associated with services are visible now when restricted based on host filters
Negated and combined membership filters now work as expected (#2934)
A more prominent error message in case the monitoring backend goes down
The filter editor doesn’t get cleared anymore upon hitting Enter
Making your life a bit easier
The tactical overview is now filterable and can be safely put into the dashboard
It is now possible to register new announcements over the REST Api
Filtering for custom variables now works in UTF8 environments
Ensuring you understand everything
The monitoring health is now beautiful to look at and properly behaves in narrow environments
Updated German localization
Updated Italian localization
Freeing you from unrealiable things
Removed support for PHP < 5.6
Removed support for persistent database connections
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2020-67.
#
# The text description of this plugin is (C) SUSE LLC.
#
include('compat.inc');
if (description)
{
script_id(133031);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/29");
script_cve_id(
"CVE-2018-18246",
"CVE-2018-18247",
"CVE-2018-18248",
"CVE-2018-18249",
"CVE-2018-18250"
);
script_name(english:"openSUSE Security Update : icingaweb2 (openSUSE-2020-67)");
script_set_attribute(attribute:"synopsis", value:
"The remote openSUSE host is missing a security update.");
script_set_attribute(attribute:"description", value:
"This update for icingaweb2 to version 2.7.3 fixes the following
issues :
icingaweb2 update to 2.7.3 :
- Fixed an issue where servicegroups for roles with
filtered objects were not available
icingaweb2 update to 2.7.2 :
- Performance imrovements and bug fixes
icingaweb2 update to 2.7.1 :
- Highlight links in the notes of an object
- Fixed an issue where sort rules were no longer working
- Fixed an issue where statistics were shown with an
anarchist way
- Fixed an issue where wildcards could no show results
icingaweb2 update to 2.7.0 :
- New languages support
- Now module developers got additional ways to customize
Icinga Web 2
- UI enhancements
icingaweb2 update to 2.6.3 :
- Fixed various issues with LDAP
- Fixed issues with timezone
- UI enhancements
- Stability fixes
icingaweb2 update to 2.6.2 :
You can find issues and features related to this release on our
Roadmap. This bugfix release addresses the following topics :
- Database connections to MySQL 8 no longer fail
- LDAP connections now have a timeout configuration which
defaults to 5 seconds
- User groups are now correctly loaded for externally
authenticated users
- Filters are respected for all links in the host and
service group overviews
- Fixed permission problems where host and service actions
provided by modules were missing
- Fixed a SQL error in the contact list view when
filtering for host groups
- Fixed time zone (DST) detection
- Fixed the contact details view if restrictions are
active
- Doc parser and documentation fixes
Fix security issues :
- CVE-2018-18246: fixed an CSRF in moduledisable
(boo#1119784)
- CVE-2018-18247: fixed an XSS via
/icingaweb2/navigation/add (boo#1119785)
- CVE-2018-18248: fixed an XSS attack is possible via
query strings or a dir parameter (boo#1119801)
- CVE-2018-18249: fixed an injection of PHP ini-file
directives involves environment variables as channel to
send out information (boo#1119799)
- CVE-2018-18250: fixed parameters that can break
navigation dashlets (boo#1119800)
- Remove setuid from new upstream spec file for following
dirs :
/etc/icingaweb2, /etc/icingaweb/modules,
/etc/icingaweb2/modules/setup,
/etc/icingaweb2/modules/translation, /var/log/icingaweb2
icingaweb2 updated to 2.6.1 :
- You can find issues and features related to this release
on our
[Roadmap](https://github.com/Icinga/icingaweb2/milestone
/51?closed=1).
- The command audit now logs a command's payload as JSON
which fixes a
[bug](https://github.com/Icinga/icingaweb2/issues/3535)
that has been introduced in version 2.6.0.
icingaweb2 was updated to 2.6.0 :
- You can find issues and features related to this release
on our Roadmap.
- Enabling you to do stuff you couldn't before
- Support for PHP 7.2 added
- Support for SQLite resources added
- Login and Command (monitoring) auditing added with the
help of a dedicated module
- Pluginoutput rendering is now hookable by modules which
allows to render custom icons, emojis and .. cute
kitties :octocat :
- Avoiding that you miss something
- It's now possible to toggle between list- and grid-mode
for the host- and servicegroup overviews
- The servicegrid now supports to flip its axes which
allows it to be put into a landscape mode
- Contacts only associated with services are visible now
when restricted based on host filters
- Negated and combined membership filters now work as
expected (#2934)
- A more prominent error message in case the monitoring
backend goes down
- The filter editor doesn't get cleared anymore upon
hitting Enter
- Making your life a bit easier
- The tactical overview is now filterable and can be
safely put into the dashboard
- It is now possible to register new announcements over
the REST Api
- Filtering for custom variables now works in UTF8
environments
- Ensuring you understand everything
- The monitoring health is now beautiful to look at and
properly behaves in narrow environments
- Updated German localization
- Updated Italian localization
- Freeing you from unrealiable things
- Removed support for PHP < 5.6
- Removed support for persistent database connections");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1101357");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119784");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119785");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119799");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119800");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119801");
script_set_attribute(attribute:"see_also", value:"https://github.com/Icinga/icingaweb2/issues/3535");
script_set_attribute(attribute:"see_also", value:"https://github.com/Icinga/icingaweb2/milestone/51?closed=1");
script_set_attribute(attribute:"solution", value:
"Update the affected icingaweb2 packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-18249");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/17");
script_set_attribute(attribute:"patch_publication_date", value:"2020/01/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icingacli");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icingaweb2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icingaweb2-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icingaweb2-vendor-HTMLPurifier");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icingaweb2-vendor-JShrink");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icingaweb2-vendor-Parsedown");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icingaweb2-vendor-dompdf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icingaweb2-vendor-lessphp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icingaweb2-vendor-zf1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php-Icinga");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if ( rpm_check(release:"SUSE15.1", reference:"icingacli-2.7.3-lp151.6.5.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"icingaweb2-2.7.3-lp151.6.5.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"icingaweb2-common-2.7.3-lp151.6.5.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"icingaweb2-vendor-HTMLPurifier-2.7.3-lp151.6.5.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"icingaweb2-vendor-JShrink-2.7.3-lp151.6.5.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"icingaweb2-vendor-Parsedown-2.7.3-lp151.6.5.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"icingaweb2-vendor-dompdf-2.7.3-lp151.6.5.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"icingaweb2-vendor-lessphp-2.7.3-lp151.6.5.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"icingaweb2-vendor-zf1-2.7.3-lp151.6.5.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"php-Icinga-2.7.3-lp151.6.5.1") ) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icingacli / icingaweb2 / icingaweb2-common / etc");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18246
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18247
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18248
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18249
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18250
bugzilla.opensuse.org/show_bug.cgi?id=1101357
bugzilla.opensuse.org/show_bug.cgi?id=1119784
bugzilla.opensuse.org/show_bug.cgi?id=1119785
bugzilla.opensuse.org/show_bug.cgi?id=1119799
bugzilla.opensuse.org/show_bug.cgi?id=1119800
bugzilla.opensuse.org/show_bug.cgi?id=1119801
github.com/Icinga/icingaweb2/issues/3535
github.com/Icinga/icingaweb2/milestone/51?closed=1
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
75.0%