Icinga Web 2 directory traversal | CVE-2022-24715

March 9, 2022

NAME

Icinga Web 2 directory traversal

  • Platforms Affected:
    Icinga Icinga Web 2 2.8.5
    Icinga Icinga Web 2 2.9.5
    Icinga Icinga Web 2 2.9.0
  • Risk Level:
    8.5
  • Exploitability:
    Unproven
  • Consequences:
    Gain Access

DESCRIPTION

Icinga Web 2 could allow a remote authenticated attacker to traverse directories on the system, caused by improper configuration validation. An attacker could send a specially-crafted SSH resource file containing “dot dot” sequences (/../) to execute arbitrary code on the system.

CVSS 3.0 Information

  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Access Vector: Network
  • Access Complexity: High
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
  • Remediation Level: Official Fix

MITIGATION

Upgrade to the latest version of Icinga Web 2 (2.8.6, 2.9.6, 2.10 or later), available from the Icinga Web 2 GIT Repository. See References.

  • Reference Link:
    https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
  • Reference Link:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24715

If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.

Digital Patreon Wordmark FieryCoralv2

You may have missed

hackerone

HackerOne Bug Bounty Disclosure: takeover-of-hackerone-engineering-via-medium-raditz

November 14, 2024
CISA Logo

CISA: CISA Releases Nineteen Industrial Control Systems Advisories

November 14, 2024
image

[HUNTERS] – Ransomware Victim: Kumla Kommun

November 14, 2024
image

[SARCOMA] – Ransomware Victim: ADT Freight Services Australia Pty Lt

November 14, 2024
image

[AKIRA] – Ransomware Victim: Berexco LLC

November 14, 2024