SB2021071543 - Multiple vulnerabilities in Icinga
Published: July 15, 2021 Updated: June 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2021-32743)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the Icinga API object query handling for IdoMysqlConnection, IdoPgsqlConnection, IcingaDB, and ElasticsearchWriter objects when processing read requests for corresponding object types. A remote user can query affected objects to disclose sensitive information.
Exposed credentials may allow access to external database, Redis, or Elasticsearch services with the permissions assigned to those credentials.
2) Improper access control (CVE-ID: CVE-2021-32739)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to steal more privileged identities.
The vulnerability exists due to improper access control in ApiListener object query results when handling API object queries. A remote user can query ApiListener objects to obtain the ticket salt and request a certificate for an arbitrary common name to steal more privileged identities.
Exploitation requires credentials for an API user with permission to query objects.
Remediation
Install update from vendor's website.