CVE-2022-24715

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
GitHub_MCNA
8.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
icingaicinga_web_2
𝑥
< 2.8.6
icingaicinga_web_2
2.9.0 ≤
𝑥
< 2.9.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
icingaweb2
bullseye
no-dsa
buster
no-dsa
bookworm
2.11.4-2+deb12u1
fixed
sid
2.12.1-1
fixed
trixie
2.12.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icingaweb2
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
ignored
jammy
needed
impish
ignored
focal
needed
bionic
needed
xenial
needed
trusty
ignored
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.html
https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
https://security.gentoo.org/glsa/202208-05
http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.html
https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
https://security.gentoo.org/glsa/202208-05