CVE-2020-24368 - OpenCVE

Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Suse	Linux Enterprise Package Hub
Icinga	Icinga Web 2

Configuration 1 [-]

OR	cpe:2.3:a:icinga:icinga_web_2::::::::
	cpe:2.3:a:icinga:icinga_web_2::::::::
	cpe:2.3:a:icinga:icinga_web_2::::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10:::::::*

Configuration 3 [-]

AND

cpe:2.3:a:suse:package_hub:-:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00026.html	Mailing List Third Party Advisory
https://github.com/Icinga/icingaweb2/blob/master/CHANGELOG.md	Release Notes Third Party Advisory
https://github.com/Icinga/icingaweb2/issues/4226	Exploit Issue Tracking Third Party Advisory
https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00040.html	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202208-05	Third Party Advisory
https://www.debian.org/security/2020/dsa-4747	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-08-19T14:25:07

Updated: 2022-08-04T15:12:41

Reserved: 2020-08-17T00:00:00

Link: CVE-2020-24368

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-08-19T15:15:12.620

Modified: 2022-12-13T15:54:33.043

Link: CVE-2020-24368

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-04T15:12:41", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/Icinga/icingaweb2/blob/master/CHANGELOG.md"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Icinga/icingaweb2/issues/4226"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/"}, {"name": "DSA-4747", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4747"}, {"name": "[debian-lts-announce] 20200824 [SECURITY] [DLA 2343-1] icingaweb2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00040.html"}, {"name": "openSUSE-SU-2020:1674", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00026.html"}, {"name": "GLSA-202208-05", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-05"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-24368", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Icinga/icingaweb2/blob/master/CHANGELOG.md", "refsource": "MISC", "url": "https://github.com/Icinga/icingaweb2/blob/master/CHANGELOG.md"}, {"name": "https://github.com/Icinga/icingaweb2/issues/4226", "refsource": "MISC", "url": "https://github.com/Icinga/icingaweb2/issues/4226"}, {"name": "https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/", "refsource": "CONFIRM", "url": "https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/"}, {"name": "DSA-4747", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4747"}, {"name": "[debian-lts-announce] 20200824 [SECURITY] [DLA 2343-1] icingaweb2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00040.html"}, {"name": "openSUSE-SU-2020:1674", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00026.html"}, {"name": "GLSA-202208-05", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-05"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-24368", "datePublished": "2020-08-19T14:25:07", "dateReserved": "2020-08-17T00:00:00", "dateUpdated": "2022-08-04T15:12:41", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "ECF58CFB-8102-44AC-8089-05199B4B751C", "versionEndExcluding": "2.6.4", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "1674480E-B24C-4E01-8DAA-56DF162377A4", "versionEndExcluding": "2.7.4", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "09DAF5BB-7F3F-4F2E-B5CE-169DF46584A7", "versionEndExcluding": "2.8.2", "versionStartIncluding": "2.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10:*:*:*:*:*:*:*", "matchCriteriaId": "3AA94636-56D9-400F-9B7C-6548CF182EB5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suse:package_hub:-:*:*:*:*:*:*:*", "matchCriteriaId": "284A8DA0-317B-4BBE-AECB-7E91BBF0DD3B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "CBC8B78D-1131-4F21-919D-8AC79A410FB9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2."}, {"lang": "es", "value": "Icinga Icinga Web 2 versiones 2.0.0 hasta 2.6.4, 2.7.4 y 2.8.2, presenta una vulnerabilidad de Salto de Directorio que permite a un atacante acceder a archivos arbitrarios que son legibles por el proceso que ejecuta Icinga Web 2. Este problema se corrigi\u00f3 en Icinga Web 2 en versiones v2.6.4, v2.7.4 y v2.8.2."}], "id": "CVE-2020-24368", "lastModified": "2022-12-13T15:54:33.043", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-19T15:15:12.620", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00026.html"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/Icinga/icingaweb2/blob/master/CHANGELOG.md"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/Icinga/icingaweb2/issues/4226"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00040.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-05"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4747"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}