Vulnerability Details : CVE-2021-32746
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.
Vulnerability category: Directory traversal
Products affected by CVE-2021-32746
- cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*
- cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*
Threat overview for CVE-2021-32746
Top countries where our scanners detected CVE-2021-32746
Top open port discovered on systems with this issue
80
IPs affected by CVE-2021-32746 3
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2021-32746!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2021-32746
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-32746
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:P/I:N/A:N |
6.8
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.6
|
3.6
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.6
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2021-32746
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2021-32746
-
https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5
Release Icinga Web 2 Version 2.7.5 · Icinga/icingaweb2 · GitHubRelease Notes;Third Party Advisory
-
https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0
Release Icinga Web 2 Version 2.9.0 · Icinga/icingaweb2 · GitHubRelease Notes;Third Party Advisory
-
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43
Possible path traversal by use of the `doc` module · Advisory · Icinga/icingaweb2 · GitHubExploit;Third Party Advisory
-
https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3
Release Icinga Web 2 Version 2.8.3 · Icinga/icingaweb2 · GitHubRelease Notes;Third Party Advisory
Jump to