SB20241112171 - Improper Certificate Validation in Icinga
Published: November 12, 2024 Updated: June 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper Certificate Validation (CVE-ID: CVE-2024-49369)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to impersonate trusted cluster nodes or API users and execute arbitrary commands, modify configuration, or disclose sensitive information.
The vulnerability exists due to improper certificate validation in JSON-RPC and HTTP API connections when establishing TLS-authenticated connections. A remote attacker can present a crafted certificate to impersonate trusted identities to execute arbitrary commands, modify configuration, or disclose sensitive information.
Additional impact depends on whether distributed installations accept configuration updates or commands, and on the permissions assigned to certificate-authenticated API users.
Remediation
Install update from vendor's website.