CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-37698 – Missing TLS service certificate validation in GelfWriter, ElasticsearchWriter, InfluxdbWriter and Influxdb2Writer
https://notcve.org/view.php?id=CVE-2021-37698
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6, or 2.11.11 to patch the issue. Such instances should also change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB. There are no workarounds aside from upgrading. • https://github.com/Icinga/icinga2/releases/tag/v2.11.11 https://github.com/Icinga/icinga2/releases/tag/v2.12.6 https://github.com/Icinga/icinga2/releases/tag/v2.13.1 https://github.com/Icinga/icinga2/security/advisories/GHSA-cxfm-8j5v-5qr2 https://lists.debian.org/debian-lts-announce/2021/11/msg00010.html • CWE-295: Improper Certificate Validation •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 2CVE-2021-32743 – Passwords used to access external services inadvertently exposed through API
https://notcve.org/view.php?id=CVE-2021-32743
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. • https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10 https://lists.debian.org/debian-lts-announce/2021/11/msg00010.html • CWE-202: Exposure of Sensitive Information Through Data Queries •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-32739 – Results of queries for ApiListener objects include the ticket salt which allows in turn to steal (more privileged) identities
https://notcve.org/view.php?id=CVE-2021-32739
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-ony user's credentials, an attacker can view most attributes of all config objects including `ticket_salt` of `ApiListener`. This salt is enough to compute a ticket for every possible common name (CN). A ticket, the master node's certificate, and a self-signed certificate are enough to successfully request the desired certificate from Icinga. • https://github.com/Icinga/icinga2/security/advisories/GHSA-98wp-jc6q-x5q5 https://icinga.com/blog/2021/07/02/releasing-icinga-2-12-5-2-11-10 https://lists.debian.org/debian-lts-announce/2021/11/msg00010.html • CWE-267: Privilege Defined With Unsafe Actions CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-32747 – Custom variable protection and blacklists can be circumvented
https://notcve.org/view.php?id=CVE-2021-32747
Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. • https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5 https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3 https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0 https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2021-32746 – Possible path traversal by use of the `doc` module
https://notcve.org/view.php?id=CVE-2021-32746
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. • https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5 https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3 https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0 https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •