CVE-2024-24820 - OpenCVE

Vendors	Products
Icinga	Icinga

Link	Resource
https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/	Press/Media Coverage
https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3mwp-5p5v-j6q3	Third Party Advisory
https://github.com/Icinga/icingaweb2/issues?q=is%3Aissue++is%3Aclosed+4979+4960+4947	Issue Tracking
https://github.com/nbuchwitz/icingaweb2-module-map/pull/86	Exploit
https://support.apple.com/en-is/guide/safari/sfri11471/16.0	Third Party Advisory
https://www.chromium.org/updates/same-site/	Issue Tracking

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-24820", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-31T16:28:17.943Z", "datePublished": "2024-02-09T00:00:00.692Z", "dateUpdated": "2024-02-09T00:00:00.692Z"}, "containers": {"cna": {"title": "Icinga Director configuration is susceptible to Cross-Site Request Forgery", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3mwp-5p5v-j6q3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3mwp-5p5v-j6q3"}, {"name": "https://github.com/nbuchwitz/icingaweb2-module-map/pull/86", "tags": ["x_refsource_MISC"], "url": "https://github.com/nbuchwitz/icingaweb2-module-map/pull/86"}, {"name": "https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/", "tags": ["x_refsource_MISC"], "url": "https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/"}, {"name": "https://github.com/Icinga/icingaweb2/issues?q=is%3Aissue++is%3Aclosed+4979+4960+4947", "tags": ["x_refsource_MISC"], "url": "https://github.com/Icinga/icingaweb2/issues?q=is%3Aissue++is%3Aclosed+4979+4960+4947"}, {"name": "https://support.apple.com/en-is/guide/safari/sfri11471/16.0", "tags": ["x_refsource_MISC"], "url": "https://support.apple.com/en-is/guide/safari/sfri11471/16.0"}, {"name": "https://www.chromium.org/updates/same-site/", "tags": ["x_refsource_MISC"], "url": "https://www.chromium.org/updates/same-site/"}], "affected": [{"vendor": "Icinga", "product": "icingaweb2-module-director", "versions": [{"version": ">=1.0.0, < 1.8.2", "status": "affected"}, {"version": ">= 1.9.0, < 1.9.2", "status": "affected"}, {"version": ">= 1.10.0, < 1.10.3", "status": "affected"}, {"version": ">= 1.11.0, < 1.11.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-09T00:00:00.692Z"}, "descriptions": [{"lang": "en", "value": "Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. Any later major release is also suitable. Icinga Director will receive minor updates to the 1.8, 1.9, 1.10 and 1.11 branches to remedy this issue. Upgrade immediately to a patched release. If that is not feasible, disable the director module for the time being."}], "source": {"advisory": "GHSA-3mwp-5p5v-j6q3", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B846BE2-8F30-4A4A-A62B-F5205F5623D3", "versionEndExcluding": "1.8.2", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*", "matchCriteriaId": "365FE35F-72DF-4287-9FDF-6D7E987C9534", "versionEndExcluding": "1.9.2", "versionStartIncluding": "1.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*", "matchCriteriaId": "D59D8750-4A96-4F59-9C75-EF57F9ABD2ED", "versionEndExcluding": "1.10.3", "versionStartIncluding": "1.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*", "matchCriteriaId": "87E0A7CE-F6C5-4931-BE94-D36DC69A4005", "versionEndExcluding": "1.11.3", "versionStartIncluding": "1.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. Any later major release is also suitable. Icinga Director will receive minor updates to the 1.8, 1.9, 1.10 and 1.11 branches to remedy this issue. Upgrade immediately to a patched release. If that is not feasible, disable the director module for the time being."}, {"lang": "es", "value": "Icinga Director es una herramienta manipulada para facilitar el manejo de la configuraci\u00f3n de Icinga 2. Ninguno de los formularios de configuraci\u00f3n de Icinga Director utilizados para manipular el entorno de monitoreo est\u00e1 protegido contra cross site request forgery (CSRF). Permite a los atacantes realizar cambios en el entorno de monitoreo administrado por Icinga Director sin el conocimiento de la v\u00edctima. Los usuarios del m\u00f3dulo de mapas en la versi\u00f3n 1.x deben actualizar inmediatamente a la versi\u00f3n 2.0. Las vulnerabilidades XSS mencionadas en Icinga Web tambi\u00e9n ya est\u00e1n solucionadas y se deben realizar actualizaciones a la versi\u00f3n m\u00e1s reciente de la rama 2.9, 2.10 o 2.11 si a\u00fan no se han hecho. Cualquier versi\u00f3n importante posterior tambi\u00e9n es adecuada. Icinga Director recibir\u00e1 actualizaciones menores para las ramas 1.8, 1.9, 1.10 y 1.11 para solucionar este problema. Actualice inmediatamente a una versi\u00f3n parcheada. Si eso no es posible, desactive el m\u00f3dulo director por el momento."}], "id": "CVE-2024-24820", "lastModified": "2024-02-16T21:36:58.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-02-09T00:15:08.437", "references": [{"source": "security-advisories@github.com", "tags": ["Press/Media Coverage"], "url": "https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3mwp-5p5v-j6q3"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/Icinga/icingaweb2/issues?q=is%3Aissue++is%3Aclosed+4979+4960+4947"}, {"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://github.com/nbuchwitz/icingaweb2-module-map/pull/86"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/en-is/guide/safari/sfri11471/16.0"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://www.chromium.org/updates/same-site/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

JSON object

JSON object

JSON object