CVE-2021-32747

Опубликовано: 12 июл. 2021

Источник: nvd

CVSS3: 5.3

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it's possible to setup protection rules and blacklists in a user's role. Protection rules result in *** being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected rou

Ссылки

https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5
Release Notes
Third Party Advisory
https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3
Release Notes
Third Party Advisory
https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0
Release Notes
Third Party Advisory
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx
Exploit
Third Party Advisory
https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5
Release Notes
Third Party Advisory
https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3
Release Notes
Third Party Advisory
https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0
Release Notes
Third Party Advisory
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*

Версия от 2.0.0 (включая) до 2.7.5 (исключая)

cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*

Версия от 2.8.0 (включая) до 2.8.3 (исключая)

EPSS

Процентиль: 66%

0.00511

Низкий

5.3 Medium

CVSS3

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-200

Связанные уязвимости

CVE-2021-32747

CVSS3: 5.3

ubuntu

больше 4 лет назад

Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in other configurations such as check commands to be able to authenticate with a service being checked. Icinga Web 2 displays these custom variables to logged in users with access to said hosts or services. In order to protect the secrets from being visible to anyone, it's possible to setup protection rules and blacklists in a user's role. Protection rules result in `***` being shown instead of the original value, the key will remain. Backlists will hide a custom variable entirely from the user. Besides using the UI, custom variables can also be accessed differently by using an undocumented URL parameter. By adding a parameter to the affected ...

CVE-2021-32747

CVSS3: 5.3

debian

больше 4 лет назад

Icinga Web 2 is an open source monitoring web interface, framework, an ...

BDU:2022-01789

CVSS3: 6.5

fstec

больше 4 лет назад

Уязвимость PHP фреймворка Icinga Web 2, связанная с раскрытием информации, позволяющая нарушителю получить доступ к конфиденциальным данным

EPSS

Процентиль: 66%

0.00511

Низкий

5.3 Medium

CVSS3

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-200