Improper access control in Icinga - CVE-2021-32743
Published: July 15, 2021 / Updated: June 29, 2026
Vulnerability identifier: #VU135833
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-32743
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Icinga
Affected software:
Icinga
Icinga
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the Icinga API object query handling for IdoMysqlConnection, IdoPgsqlConnection, IcingaDB, and ElasticsearchWriter objects when processing read requests for corresponding object types. A remote user can query affected objects to disclose sensitive information.
Exposed credentials may allow access to external database, Redis, or Elasticsearch services with the permissions assigned to those credentials.
How to mitigate CVE-2021-32743
Install security update from vendor's website.