CVE-2021-32743

Icinga is a monitoring system which checks the availability of network
resources, notifies users of outages, and generates performance data for
reporting. In versions prior to 2.11.10 and from version 2.12.0 through
version 2.12.4, some of the Icinga 2 features that require credentials for
external services expose those credentials through the API to authenticated
API users with read permissions for the corresponding object types.
IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes
the password of the user used to connect to the database. IcingaDB (added
in 2.12.0) exposes the password used to connect to the Redis server.
ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to
the Elasticsearch server. An attacker who obtains these credentials can
impersonate Icinga to these services and add, modify and delete information
there. If credentials with more permissions are in use, this increases the
impact accordingly. Starting with the 2.11.10 and 2.12.5 releases, these
passwords are no longer exposed via the API. As a workaround, API user
permissions can be restricted to not allow querying of any affected
objects, either by explicitly listing only the required object types for
object query permissions, or by applying a filter rule.