Improper Certificate Validation in Icinga - CVE-2024-49369
Published: November 12, 2024 / Updated: June 29, 2026
Vulnerability identifier: #VU135836
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-49369
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Icinga
Affected software:
Icinga
Icinga
Detailed vulnerability description
The vulnerability allows a remote attacker to impersonate trusted cluster nodes or API users and execute arbitrary commands, modify configuration, or disclose sensitive information.
The vulnerability exists due to improper certificate validation in JSON-RPC and HTTP API connections when establishing TLS-authenticated connections. A remote attacker can present a crafted certificate to impersonate trusted identities to execute arbitrary commands, modify configuration, or disclose sensitive information.
Additional impact depends on whether distributed installations accept configuration updates or commands, and on the permissions assigned to certificate-authenticated API users.
How to mitigate CVE-2024-49369
Install security update from vendor's website.