CVE-2022-24716
Path traversal in Icinga Web 2
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Icinga · icingaweb2public PoCs found — 7
githubgithub.com/0x0Jackal/CVE-2022-24716★ 3githubgithub.com/gmh5225/CVE-2022-24716★ 0githubgithub.com/pumpkinpiteam/CVE-2022-24716★ 0githubgithub.com/antisecc/CVE-2022-24716★ 0githubgithub.com/gmh5225/CVE-2022-24716-2★ 0cve_referencepacketstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.htmlunverifiedexploitdbwww.exploit-db.com/exploits/51329unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.htmlhttps://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773dhttps://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frwhttps://security.gentoo.org/glsa/202208-05