Vulnerability Details CVE-2022-24716
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.932
EPSS Ranking 99.8%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://packetstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.html
- https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d
- https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw
- https://security.gentoo.org/glsa/202208-05
- http://packetstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.html
- https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d
- https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw
- https://security.gentoo.org/glsa/202208-05
Products affected by CVE-2022-24716
-
cpe:2.3:a:icinga:icinga_web_2:*