CVE-2022-24715

NameCVE-2022-24715
DescriptionIcinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icingaweb2 (PTS)stretch2.4.1-1vulnerable
stretch (security)2.4.1-1+deb9u1vulnerable
buster, buster (security)2.6.2-3+deb10u1vulnerable
bullseye2.8.2-2vulnerable
sid2.10.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
icingaweb2source(unstable)2.9.6-1

Notes

[bullseye] - icingaweb2 <no-dsa> (Minor issue)
[buster] - icingaweb2 <no-dsa> (Minor issue)
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb
Search for package or bug name: Reporting problems