CVE-2022-24714

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 44%
VendorProductVersion
icingaicinga_web_2
𝑥
< 2.8.6
icingaicinga_web_2
2.9.0 ≤
𝑥
< 2.9.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
icingaweb2
bullseye
no-dsa
buster
no-dsa
stretch
not-affected
bookworm
2.11.4-2+deb12u1
fixed
sid
2.12.1-1
fixed
trixie
2.12.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icingaweb2
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
ignored
jammy
needed
impish
ignored
focal
needed
bionic
not-affected
xenial
needed
trusty
ignored
Common Weakness Enumeration
References
https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf
https://security.gentoo.org/glsa/202208-05
https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf
https://security.gentoo.org/glsa/202208-05