Lucene search

GoogleOSV:GHSA-W9PG-7C3H-FC8J

HistoryAug 05, 2024 - 2:39 p.m.

ipl/web's `ipl\Web\Common\CsrfCounterMeasure` is susceptible to CSRF

2024-08-0514:39:09

Google

osv.dev

icinga web

csrf

cross site request forgery

vulnerability

icinga db web

icinga notifications web

icinga web jira integration

icinga php library

CVSS3

3.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

AI Score

6.7

Confidence

High

EPSS

Percentile

9.4%

JSON

Impact

Some of the recent development by Icinga is, under certain circumstances, susceptible to cross site request forgery. (CSRF)

Affected products:

Icinga Web (>=2.12.0)
Icinga DB Web (>=1.0.0)
Icinga Notifications Web (>=0.1.0)
Icinga Web JIRA Integration (>=1.3.0)

All affected products, in any version, will be unaffected by this once icinga-php-library is upgraded.

Patches

Version 0.10.1 will include a fix for this. It will be published as part of the icinga-php-library v0.14.1 release.

References

github.com/Icinga/ipl-web

github.com/Icinga/ipl-web/commit/492336fdb57a5bb0881ed642ab36f5841337571e

github.com/Icinga/ipl-web/security/advisories/GHSA-w9pg-7c3h-fc8j

nvd.nist.gov/vuln/detail/CVE-2024-41811

CVSS3

3.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

AI Score

6.7

Confidence

High

EPSS

Percentile

9.4%

JSON

Related for OSV:GHSA-W9PG-7C3H-FC8J