Icinga
Monthly
Icinga 2 on Windows versions 2.3.0 through 2.15.1 fail to properly restrict file permissions on the `%ProgramData%\icinga2\var` directory, allowing any local user to read sensitive data including private keys and synchronized configurations. All Windows installations are affected, and attackers with local access can extract cryptographic material and configuration details for lateral movement or further compromise. Patches are available in versions 2.13.14, 2.14.8, and 2.15.2, with workarounds available through updated Icinga for Windows packages or manual ACL remediation.
Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered in Icinga2 before v2.12.0-rc1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
An issue was discovered in Icinga 2.x through 2.8.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue was discovered in Icinga 2.x through 2.8.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Icinga 2.x through 2.8.1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in Icinga 2.x through 2.8.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Icinga 2.x through 2.8.1. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-writable directory, which allows local users to gain privileges by leveraging access to the. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.
Icinga Core through 1.14.0 initially executes bin/icinga as root but supports configuration options in which this file is owned by a non-root account (and similarly can have etc/icinga.cfg owned by a. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Multiple off-by-one errors in Icinga, possibly 1.10.2 and earlier, allow remote attackers to cause a denial of service (crash) via unspecified vectors to the (1) display_nav_table, (2). Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 48.6%.
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in Icinga 1.8.5, 1.9.4, 1.10.2, and earlier allows remote attackers to hijack the authentication of users for unspecified commands via. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to cause a denial of service (crash) and possibly execute. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 79.9%.
The database creation script (module/idoutils/db/scripts/create_mysqldb.sh) in Icinga 1.7.1 grants access to all databases to the icinga user, which allows icinga users to access other databases via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Icinga 2 on Windows versions 2.3.0 through 2.15.1 fail to properly restrict file permissions on the `%ProgramData%\icinga2\var` directory, allowing any local user to read sensitive data including private keys and synchronized configurations. All Windows installations are affected, and attackers with local access can extract cryptographic material and configuration details for lateral movement or further compromise. Patches are available in versions 2.13.14, 2.14.8, and 2.15.2, with workarounds available through updated Icinga for Windows packages or manual ACL remediation.
Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered in Icinga2 before v2.12.0-rc1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
An issue was discovered in Icinga 2.x through 2.8.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue was discovered in Icinga 2.x through 2.8.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Icinga 2.x through 2.8.1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in Icinga 2.x through 2.8.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Icinga 2.x through 2.8.1. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-writable directory, which allows local users to gain privileges by leveraging access to the. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.
Icinga Core through 1.14.0 initially executes bin/icinga as root but supports configuration options in which this file is owned by a non-root account (and similarly can have etc/icinga.cfg owned by a. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Multiple off-by-one errors in Icinga, possibly 1.10.2 and earlier, allow remote attackers to cause a denial of service (crash) via unspecified vectors to the (1) display_nav_table, (2). Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 48.6%.
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in Icinga 1.8.5, 1.9.4, 1.10.2, and earlier allows remote attackers to hijack the authentication of users for unspecified commands via. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to cause a denial of service (crash) and possibly execute. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 79.9%.
The database creation script (module/idoutils/db/scripts/create_mysqldb.sh) in Icinga 1.7.1 grants access to all databases to the icinga user, which allows icinga users to access other databases via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.