Source: icingaweb2 Version: 2.8.2-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.6.2-3+deb10u1 Control: found -1 2.6.2-3
Hi, The following vulnerabilities were published for icingaweb2. CVE-2021-32746[0]: | Icinga Web 2 is an open source monitoring web interface, framework and | command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` | module of Icinga Web 2 allows to view documentation directly in the | UI. It must be enabled manually by an administrator and users need | explicit access permission to use it. Then, by visiting a certain | route, it is possible to gain access to arbitrary files readable by | the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and | 2.7.5 releases. As a workaround, an administrator may disable the | `doc` module or revoke permission to use it from all users. CVE-2021-32747[1]: | Icinga Web 2 is an open source monitoring web interface, framework, | and command-line interface. A vulnerability in which custom variables | are exposed to unauthorized users exists between versions 2.0.0 and | 2.8.2. Custom variables are user-defined keys and values on | configuration objects in Icinga 2. These are commonly used to | reference secrets in other configurations such as check commands to be | able to authenticate with a service being checked. Icinga Web 2 | displays these custom variables to logged in users with access to said | hosts or services. In order to protect the secrets from being visible | to anyone, it's possible to setup protection rules and blacklists in a | user's role. Protection rules result in `***` being shown instead of | the original value, the key will remain. Backlists will hide a custom | variable entirely from the user. Besides using the UI, custom | variables can also be accessed differently by using an undocumented | URL parameter. By adding a parameter to the affected routes, Icinga | Web 2 will show these columns additionally in the respective list. | This parameter is also respected when exporting to JSON or CSV. | Protection rules and blacklists however have no effect in this case. | Custom variables are shown as-is in the result. The issue has been | fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one | may set up a restriction to hide hosts and services with the custom | variable in question. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32746 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32746 https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43 [1] https://security-tracker.debian.org/tracker/CVE-2021-32747 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32747 https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx Regards, Salvatore
