Icinga Web 2
CVE-2020-24368
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.
AnalysisAI
Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2. Affected products include: Icinga Icinga Web 2, Debian Debian Linux, Suse Package Hub. Version information: through 2.6.4.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
More in Icinga Web 2
View allIcinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as
Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module
Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string,
Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add icon parameter. Rated medium severity (CVSS 5.4), t
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated high severity (CVSS
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated medium severity (CV
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated medium severity (CV
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated low severity (CVSS
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today