CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
79.5%
Icinga is a monitoring system which checks the availability of network
resources, notifies users of outages, and generates performance data for
reporting. In versions prior to 2.11.10 and from version 2.12.0 through
version 2.12.4, some of the Icinga 2 features that require credentials for
external services expose those credentials through the API to authenticated
API users with read permissions for the corresponding object types.
IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes
the password of the user used to connect to the database. IcingaDB (added
in 2.12.0) exposes the password used to connect to the Redis server.
ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to
the Elasticsearch server. An attacker who obtains these credentials can
impersonate Icinga to these services and add, modify and delete information
there. If credentials with more permissions are in use, this increases the
impact accordingly. Starting with the 2.11.10 and 2.12.5 releases, these
passwords are no longer exposed via the API. As a workaround, API user
permissions can be restricted to not allow querying of any affected
objects, either by explicitly listing only the required object types for
object query permissions, or by applying a filter rule.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
79.5%