CVE-2022-24715

EUVD-2022-29576
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
GitHub_MCNA
8.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
Affected Products (NVD)
VendorProductVersion
icingaicinga_web_2
𝑥
< 2.8.6
icingaicinga_web_2
2.9.0 ≤
𝑥
< 2.9.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
icingaweb2
bookworm
2.11.4-2+deb12u1
fixed
bullseye
no-dsa
buster
no-dsa
sid
2.12.1-1
fixed
trixie
2.12.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icingaweb2
bionic
needed
focal
needed
impish
ignored
jammy
needed
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
needed
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.html
https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
https://security.gentoo.org/glsa/202208-05
http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.html
https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
https://security.gentoo.org/glsa/202208-05