Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2024-49369

Опубликовано: 12 нояб. 2024
Источник: debian

Описание

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
icinga2fixed2.14.3-1package
icinga2fixed2.13.6-2+deb12u2bookwormpackage

Примечания

  • https://github.com/Icinga/icinga2/security/advisories/GHSA-j7wq-r9mg-9wpv

  • https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3/

  • Fixed by: https://github.com/Icinga/icinga2/commit/2febc5e18ae0c93d989e64ebc2a9fd90e7205ad8 (v2.14.3)

  • Fixed by: https://github.com/Icinga/icinga2/commit/3504fc7ed688c10d86988e2029a65efc311393fe (v2.13.10)

  • Fixed by: https://github.com/Icinga/icinga2/commit/0419a2c36de408e9a703aec0962061ec9a285d3c (v2.12.11)

  • Fixed by: https://github.com/Icinga/icinga2/commit/8fed6608912c752b337d977f730547875a820831 (v2.11.12)

Связанные уязвимости

ubuntu логотип

CVE-2024-49369

CVSS3: 9.8
ubuntu
около 1 года назад

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.

nvd логотип

CVE-2024-49369

CVSS3: 9.8
nvd
около 1 года назад

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.

suse-cvrf логотип

openSUSE-SU-2024:0372-1

suse-cvrf
около 1 года назад

Security update for icinga2

suse-cvrf логотип

openSUSE-SU-2024:0371-1

suse-cvrf
около 1 года назад

Security update for icinga2

fstec логотип

BDU:2024-10083

CVSS3: 9.8
fstec
больше 1 года назад

Уязвимость функции set_verify_callback() системы мониторинга доступности сетевых ресурсов Icinga, позволяющая нарушителю обойти ограничения безопасности, получить несанкционированный доступ к защищаемой информации или выполнить произвольные команды