SB2021071231 - Path traversal in Icinga Web 2



SB2021071231 - Path traversal in Icinga Web 2

Published: July 12, 2021 Updated: July 6, 2026

Security Bulletin ID SB2021071231
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Path traversal (CVE-ID: CVE-2021-32746)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in the doc module image route when handling crafted requests for documentation images. A remote user can send a specially crafted request to disclose sensitive information.

The vulnerable functionality is only exposed when the doc module is enabled and the user has explicit permission to access it.


Remediation

Install update from vendor's website.