Bug 1188264 - (CVE-2021-32747) VUL-0: CVE-2021-32747: icingaweb2: custom variables are exposed to unauthorized users
VUL-0: CVE-2021-32747: icingaweb2: custom variables are exposed to unauthoriz...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 15.2
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Peter Nixon
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-07-13 13:07 UTC by Alexander Bergmann
Modified: 2021-11-02 16:48 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-07-13 13:07:35 UTC

Icinga Web 2 is an open source monitoring web interface, framework, and
command-line interface. A vulnerability in which custom variables are exposed to
unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are
user-defined keys and values on configuration objects in Icinga 2. These are
commonly used to reference secrets in other configurations such as check
commands to be able to authenticate with a service being checked. Icinga Web 2
displays these custom variables to logged in users with access to said hosts or
services. In order to protect the secrets from being visible to anyone, it's
possible to setup protection rules and blacklists in a user's role. Protection
rules result in `***` being shown instead of the original value, the key will
remain. Backlists will hide a custom variable entirely from the user. Besides
using the UI, custom variables can also be accessed differently by using an
undocumented URL parameter. By adding a parameter to the affected routes, Icinga
Web 2 will show these columns additionally in the respective list. This
parameter is also respected when exporting to JSON or CSV. Protection rules and
blacklists however have no effect in this case. Custom variables are shown as-is
in the result. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases.
As a workaround, one may set up a restriction to hide hosts and services with
the custom variable in question.