Improper access control in Icinga Web 2 - CVE-2021-32747

 

Improper access control in Icinga Web 2 - CVE-2021-32747

Published: July 12, 2021 / Updated: July 6, 2026


Vulnerability identifier: #VU136936
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-32747
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: www.icinga.org
Affected software:
Icinga Web 2

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the monitoring list routes when processing the undocumented addColumns URL parameter. A remote user can supply crafted addColumns values to disclose sensitive information.

The issue affects access to custom variables on the host and service list routes, including JSON and CSV exports.


How to mitigate CVE-2021-32747

Install security update from vendor's website.

Sources