SB2021071232 - Improper access control in Icinga Web 2
Published: July 12, 2021 Updated: July 6, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper access control (CVE-ID: CVE-2021-32747)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the monitoring list routes when processing the undocumented addColumns URL parameter. A remote user can supply crafted addColumns values to disclose sensitive information.
The issue affects access to custom variables on the host and service list routes, including JSON and CSV exports.
Remediation
Install update from vendor's website.