CVE-2022-24716
Path traversal in Icinga Web 2
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Produtos afetados
Icinga · icingaweb2PoCs públicas encontradas — 7
githubgithub.com/0x0Jackal/CVE-2022-24716★ 3githubgithub.com/gmh5225/CVE-2022-24716★ 0githubgithub.com/pumpkinpiteam/CVE-2022-24716★ 0githubgithub.com/antisecc/CVE-2022-24716★ 0githubgithub.com/gmh5225/CVE-2022-24716-2★ 0cve_referencepacketstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.htmlnão verificadoexploitdbwww.exploit-db.com/exploits/51329não verificado⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.
Quer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
http://packetstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.htmlhttps://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773dhttps://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frwhttps://security.gentoo.org/glsa/202208-05