CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-49369 – Icinga 2 has a TLS Certificate Validation Bypass for JSON-RPC and HTTP API Connections
https://notcve.org/view.php?id=CVE-2024-49369
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12. • https://github.com/Icinga/icinga2/commit/0419a2c36de408e9a703aec0962061ec9a285d3c https://github.com/Icinga/icinga2/commit/2febc5e18ae0c93d989e64ebc2a9fd90e7205ad8 https://github.com/Icinga/icinga2/commit/3504fc7ed688c10d86988e2029a65efc311393fe https://github.com/Icinga/icinga2/commit/869a7d6f0fe38c748e67bacc1fbdd42c933030f6 https://github.com/Icinga/icinga2/commit/8fed6608912c752b337d977f730547875a820831 https://github.com/Icinga/icinga2/security/advisories/GHSA-j7wq-r9mg-9wpv https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14- • CWE-295: Improper Certificate Validation •
CVSS: 3.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41811 – ipl/web susceptible to Cross-Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2024-41811
ipl/web is a set of common web components for php projects. Some of the recent development by Icinga is, under certain circumstances, susceptible to cross site request forgery. (CSRF). All affected products, in any version, will be unaffected by this once `icinga-php-library` is upgraded. Version 0.10.1 includes a fix for this. • https://github.com/Icinga/ipl-web/commit/492336fdb57a5bb0881ed642ab36f5841337571e https://github.com/Icinga/ipl-web/security/advisories/GHSA-w9pg-7c3h-fc8j • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24819 – icingaweb2-module-incubator base implementation for HTML forms is susceptible to CSRF
https://notcve.org/view.php?id=CVE-2024-24819
icingaweb2-module-incubator is a working project of bleeding edge Icinga Web 2 libraries. In affected versions the class `gipfl\Web\Form` is the base for various concrete form implementations [1] and provides protection against cross site request forgery (CSRF) by default. This is done by automatically adding an element with a CSRF token to any form, unless explicitly disabled, but even if enabled, the CSRF token (sent during a client's submission of a form relying on it) is not validated. This enables attackers to perform changes on behalf of a user which, unknowingly, interacts with a prepared link or website. The version 0.22.0 is available to remedy this issue. • https://github.com/Icinga/icingaweb2-module-incubator/commit/db7dc49585fee0b4e96be666d7f6009a74a1ccb5 https://github.com/Icinga/icingaweb2-module-incubator/security/advisories/GHSA-p8vv-9pqq-rm8p https://github.com/search?q=gipfl%5CWeb%5CForm%3B&type=code • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 1CVE-2024-24820 – Icinga Director configuration is susceptible to Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2024-24820
Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. • https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3mwp-5p5v-j6q3 https://github.com/Icinga/icingaweb2/issues?q=is%3Aissue++is%3Aclosed+4979+4960+4947 https://github.com/nbuchwitz/icingaweb2-module-map/pull/86 https://support.apple.com/en-is/guide/safari/sfri11471/16.0 https://www.chromium.org/updates/same-site • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30607 – icingaweb2-module-jira template and field configuration are susceptible to CSRF
https://notcve.org/view.php?id=CVE-2023-30607
icingaweb2-module-jira provides integration with Atlassian Jira. Starting in version 1.3.0 and prior to version 1.3.2, template and field configuration forms perform the deletion action before user input is validated, including the cross site request forgery token. This issue is fixed in version 1.3.2. There are no known workarounds. • https://github.com/Icinga/icingaweb2-module-jira/commit/7f0c53b7a3e87be2f4c2e8840805d7b7c9762424 https://github.com/Icinga/icingaweb2-module-jira/releases/tag/v1.3.2 https://github.com/Icinga/icingaweb2-module-jira/security/advisories/GHSA-gh7w-7f7j-gwp5 • CWE-352: Cross-Site Request Forgery (CSRF) •