Possible path traversal by use of the `doc` module
CVE-2021-32746

5.3MEDIUM

Key Information:

Vendor

Icinga

Status
Icingaweb2
Vendor
CVE Published:
12 July 2021

What is CVE-2021-32746?

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the doc module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the doc module or revoke permission to use it from all users.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

icingaweb2 >= 2.3.0, <= 2.8.2

References

https://github.com/Icinga/icingaweb2/security/advisories/...
x_refsource_CONFIRM
https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5
x_refsource_MISC
https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.