Vulnerability Details CVE-2021-32746
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.6%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 3.5
References
- https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5
- https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3
- https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0
- https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43
- https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5
- https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3
- https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0
- https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43
Products affected by CVE-2021-32746
-
cpe:2.3:a:icinga:icinga:2.3.0
-
cpe:2.3:a:icinga:icinga:2.3.1
-
cpe:2.3:a:icinga:icinga:2.3.10
-
cpe:2.3:a:icinga:icinga:2.3.11
-
cpe:2.3:a:icinga:icinga:2.3.2
-
cpe:2.3:a:icinga:icinga:2.3.3
-
cpe:2.3:a:icinga:icinga:2.3.4
-
cpe:2.3:a:icinga:icinga:2.3.5
-
cpe:2.3:a:icinga:icinga:2.3.6
-
cpe:2.3:a:icinga:icinga:2.3.7
-
cpe:2.3:a:icinga:icinga:2.3.8
-
cpe:2.3:a:icinga:icinga:2.3.9
-
cpe:2.3:a:icinga:icinga:2.4.0
-
cpe:2.3:a:icinga:icinga:2.4.1
-
cpe:2.3:a:icinga:icinga:2.4.10
-
cpe:2.3:a:icinga:icinga:2.4.2
-
cpe:2.3:a:icinga:icinga:2.4.3
-
cpe:2.3:a:icinga:icinga:2.4.4
-
cpe:2.3:a:icinga:icinga:2.4.5
-
cpe:2.3:a:icinga:icinga:2.4.6
-
cpe:2.3:a:icinga:icinga:2.4.7
-
cpe:2.3:a:icinga:icinga:2.4.8
-
cpe:2.3:a:icinga:icinga:2.4.9
-
cpe:2.3:a:icinga:icinga:2.5.0
-
cpe:2.3:a:icinga:icinga:2.5.1
-
cpe:2.3:a:icinga:icinga:2.5.2
-
cpe:2.3:a:icinga:icinga:2.5.3
-
cpe:2.3:a:icinga:icinga:2.5.4
-
cpe:2.3:a:icinga:icinga:2.6.0
-
cpe:2.3:a:icinga:icinga:2.6.1
-
cpe:2.3:a:icinga:icinga:2.6.2
-
cpe:2.3:a:icinga:icinga:2.6.3
-
cpe:2.3:a:icinga:icinga:2.7.0
-
cpe:2.3:a:icinga:icinga:2.7.1
-
cpe:2.3:a:icinga:icinga:2.7.2
-
cpe:2.3:a:icinga:icinga:2.7.3
-
cpe:2.3:a:icinga:icinga:2.7.4
-
cpe:2.3:a:icinga:icinga:2.8.0
-
cpe:2.3:a:icinga:icinga:2.8.1
-
cpe:2.3:a:icinga:icinga:2.8.2