CVE-2020-29663
https://notcve.org/view.php?id=CVE-2020-29663
Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. This issue is fixed in Icinga 2 v2.11.8 and v2.12.3. Icinga versiones 2 v2.8.0 hasta v2.11.7 y versión v2.12.2, presenta un problema en donde los certificados revocados que deben renovarse serán renovados automáticamente, ignorando la CRL. Este problema es corregido en Icinga versiones 2 v2.11.8 y v2.12.3 • https://github.com/Icinga/icinga2/compare/v2.12.1...v2.12.2 https://github.com/Icinga/icinga2/security/advisories/GHSA-pcmr-2p2f-r7j6 • CWE-295: Improper Certificate Validation •
CVE-2020-14004
https://notcve.org/view.php?id=CVE-2020-14004
An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged icinga2 user. Se detectó un problema en Icinga2 versiones anteriores a v2.12.0-rc1. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00014.html http://www.openwall.com/lists/oss-security/2020/06/12/1 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-14004 https://github.com/Icinga/icinga2/compare/v2.12.0-rc1...master https://github.com/Icinga/icinga2/pull/8045/commits/2f0f2e8c355b75fa4407d23f85feea037d2bc4b6 https://github.com/Icinga/icinga2/releases • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2018-6532
https://notcve.org/view.php?id=CVE-2018-6532
An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted (authenticated and unauthenticated) requests, an attacker can exhaust a lot of memory on the server side, triggering the OOM killer. Se ha descubierto un problema en Icinga, en versiones 2.x hasta la 2.8.1. Mediante el envío de peticiones (autenticadas y no autenticadas) especialmente manipuladas, un atacante puede agotar mucha memoria del lado del servidor, desencadenando el killer OOM. • https://github.com/Icinga/icinga2/pull/6103 • CWE-400: Uncontrolled Resource Consumption •
CVE-2018-6535
https://notcve.org/view.php?id=CVE-2018-6535
An issue was discovered in Icinga 2.x through 2.8.1. The lack of a constant-time password comparison function can disclose the password to an attacker. Se ha descubierto un problema en Icinga, en versiones 2.x hasta la 2.8.1. La falta de una función de comparación de contraseña en tiempo constante (constant-time) puede revelar la contraseña a un atacante. • https://github.com/Icinga/icinga2/issues/4920 https://github.com/Icinga/icinga2/pull/5715 •
CVE-2018-6533
https://notcve.org/view.php?id=CVE-2018-6533
An issue was discovered in Icinga 2.x through 2.8.1. By editing the init.conf file, Icinga 2 can be run as root. Following this the program can be used to run arbitrary code as root. This was fixed by no longer using init.conf to determine account information for any root-executed code (a larger issue than CVE-2017-16933). Se ha descubierto un problema en Icinga, en versiones 2.x hasta la 2.8.1. • https://github.com/Icinga/icinga2/pull/5850 •