CVE-2022-24714

EUVD-2022-29575
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
icingaicinga_web_2
𝑥
< 2.8.6
icingaicinga_web_2
2.9.0 ≤
𝑥
< 2.9.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
icingaweb2
bookworm
2.11.4-2+deb12u1
fixed
bullseye
no-dsa
buster
no-dsa
sid
2.12.1-1
fixed
stretch
not-affected
trixie
2.12.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icingaweb2
bionic
not-affected
focal
needed
impish
ignored
jammy
needed
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
needed
Common Weakness Enumeration
References
https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf
https://security.gentoo.org/glsa/202208-05
https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf
https://security.gentoo.org/glsa/202208-05