Path traversal in Icinga Web 2 - CVE-2021-32746

 

Path traversal in Icinga Web 2 - CVE-2021-32746

Published: July 12, 2021 / Updated: July 6, 2026


Vulnerability identifier: #VU136934
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-32746
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: www.icinga.org
Affected software:
Icinga Web 2

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in the doc module image route when handling crafted requests for documentation images. A remote user can send a specially crafted request to disclose sensitive information.

The vulnerable functionality is only exposed when the doc module is enabled and the user has explicit permission to access it.


How to mitigate CVE-2021-32746

Install security update from vendor's website.

Sources