CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30607 – icingaweb2-module-jira template and field configuration are susceptible to CSRF
https://notcve.org/view.php?id=CVE-2023-30607
05 Jul 2023 — icingaweb2-module-jira provides integration with Atlassian Jira. Starting in version 1.3.0 and prior to version 1.3.2, template and field configuration forms perform the deletion action before user input is validated, including the cross site request forgery token. This issue is fixed in version 1.3.2. There are no known workarounds. • https://github.com/Icinga/icingaweb2-module-jira/commit/7f0c53b7a3e87be2f4c2e8840805d7b7c9762424 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-24714 – Disclosure of hosts and related data, linked to decommissioned services in Icinga Web 2
https://notcve.org/view.php?id=CVE-2022-24714
08 Mar 2022 — Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted... • https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 74%CPEs: 2EXPL: 5CVE-2022-24715 – Arbitrary code execution for authenticated users in Icinga Web 2
https://notcve.org/view.php?id=CVE-2022-24715
08 Mar 2022 — Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration. Icinga Web 2 es una interfaz web de monitorización de código abierto, un framework y una interfaz de l... • https://packetstorm.news/files/id/173516 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 91%CPEs: 1EXPL: 8CVE-2022-24716 – Path traversal in Icinga Web 2
https://notcve.org/view.php?id=CVE-2022-24716
08 Mar 2022 — Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated. Icinga Web 2 es una interfaz web de monitorización de código abierto, un framework y una interfaz de línea de comandos. • https://packetstorm.news/files/id/171774 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-37698 – Missing TLS service certificate validation in GelfWriter, ElasticsearchWriter, InfluxdbWriter and Influxdb2Writer
https://notcve.org/view.php?id=CVE-2021-37698
19 Aug 2021 — Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should immediately upgrade to version ... • https://github.com/Icinga/icinga2/releases/tag/v2.11.11 • CWE-295: Improper Certificate Validation •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 2CVE-2021-32743 – Passwords used to access external services inadvertently exposed through API
https://notcve.org/view.php?id=CVE-2021-32743
15 Jul 2021 — Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes th... • https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 • CWE-202: Exposure of Sensitive Information Through Data Queries •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-32739 – Results of queries for ApiListener objects include the ticket salt which allows in turn to steal (more privileged) identities
https://notcve.org/view.php?id=CVE-2021-32739
15 Jul 2021 — Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-ony user's credentials, an attacker can view most attributes of all config objects including `ticket_salt` of `ApiListener`. This salt is enough to compute a ticket for every possible common name (CN). A ticket, th... • https://github.com/Icinga/icinga2/security/advisories/GHSA-98wp-jc6q-x5q5 • CWE-267: Privilege Defined With Unsafe Actions CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-32747 – Custom variable protection and blacklists can be circumvented
https://notcve.org/view.php?id=CVE-2021-32747
12 Jul 2021 — Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in user... • https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2021-32746 – Possible path traversal by use of the `doc` module
https://notcve.org/view.php?id=CVE-2021-32746
12 Jul 2021 — Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. • https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29663 – Gentoo Linux Security Advisory 202412-08
https://notcve.org/view.php?id=CVE-2020-29663
15 Dec 2020 — Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. This issue is fixed in Icinga 2 v2.11.8 and v2.12.3. Icinga versiones 2 v2.8.0 hasta v2.11.7 y versión v2.12.2, presenta un problema en donde los certificados revocados que deben renovarse serán renovados automáticamente, ignorando la CRL. Este problema es corregido en Icinga versiones 2 v2.11.8 y v2.12.3 Multiple vulnerabilities have been discovered in Ic... • https://github.com/Icinga/icinga2/compare/v2.12.1...v2.12.2 • CWE-295: Improper Certificate Validation •