SB2021071232 - Improper access control in Icinga Web 2



SB2021071232 - Improper access control in Icinga Web 2

Published: July 12, 2021 Updated: July 6, 2026

Security Bulletin ID SB2021071232
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper access control (CVE-ID: CVE-2021-32747)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the monitoring list routes when processing the undocumented addColumns URL parameter. A remote user can supply crafted addColumns values to disclose sensitive information.

The issue affects access to custom variables on the host and service list routes, including JSON and CSV exports.


Remediation

Install update from vendor's website.