CVE-2021-32746
Summary
| CVE | CVE-2021-32746 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-07-12 23:15:00 UTC |
| Updated | 2021-07-15 16:40:00 UTC |
| Description | Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users. |
Risk And Classification
Problem Types: CWE-22
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Release Icinga Web 2 Version 2.9.0 · Icinga/icingaweb2 · GitHub | MISC | github.com | |
| Possible path traversal by use of the `doc` module · Advisory · Icinga/icingaweb2 · GitHub | CONFIRM | github.com | |
| Release Icinga Web 2 Version 2.8.3 · Icinga/icingaweb2 · GitHub | MISC | github.com | |
| Release Icinga Web 2 Version 2.7.5 · Icinga/icingaweb2 · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.