[Pkg-nagios-devel] Bug#991116: icingaweb2: CVE-2021-32746 CVE-2021-32747

Salvatore Bonaccorso carnil at debian.org
Wed Jul 14 20:00:52 BST 2021

Source: icingaweb2
Version: 2.8.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 2.6.2-3+deb10u1
Control: found -1 2.6.2-3


The following vulnerabilities were published for icingaweb2.

| Icinga Web 2 is an open source monitoring web interface, framework and
| command-line interface. Between versions 2.3.0 and 2.8.2, the `doc`
| module of Icinga Web 2 allows to view documentation directly in the
| UI. It must be enabled manually by an administrator and users need
| explicit access permission to use it. Then, by visiting a certain
| route, it is possible to gain access to arbitrary files readable by
| the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and
| 2.7.5 releases. As a workaround, an administrator may disable the
| `doc` module or revoke permission to use it from all users.

| Icinga Web 2 is an open source monitoring web interface, framework,
| and command-line interface. A vulnerability in which custom variables
| are exposed to unauthorized users exists between versions 2.0.0 and
| 2.8.2. Custom variables are user-defined keys and values on
| configuration objects in Icinga 2. These are commonly used to
| reference secrets in other configurations such as check commands to be
| able to authenticate with a service being checked. Icinga Web 2
| displays these custom variables to logged in users with access to said
| hosts or services. In order to protect the secrets from being visible
| to anyone, it's possible to setup protection rules and blacklists in a
| user's role. Protection rules result in `***` being shown instead of
| the original value, the key will remain. Backlists will hide a custom
| variable entirely from the user. Besides using the UI, custom
| variables can also be accessed differently by using an undocumented
| URL parameter. By adding a parameter to the affected routes, Icinga
| Web 2 will show these columns additionally in the respective list.
| This parameter is also respected when exporting to JSON or CSV.
| Protection rules and blacklists however have no effect in this case.
| Custom variables are shown as-is in the result. The issue has been
| fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one
| may set up a restriction to hide hosts and services with the custom
| variable in question.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32746
[1] https://security-tracker.debian.org/tracker/CVE-2021-32747


More information about the Pkg-nagios-devel mailing list