Bug 1196913 - (CVE-2022-24714) VUL-0: CVE-2022-24714: icingaweb2: Unwanted disclosure of hosts and related data, linked to decommissioned services
(CVE-2022-24714)
VUL-0: CVE-2022-24714: icingaweb2: Unwanted disclosure of hosts and related d...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Eric Schirra
Security Team bot
https://smash.suse.de/issue/325577/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-09 09:37 UTC by Thomas Leroy
Modified: 2022-04-08 11:42 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-09 09:37:12 UTC
CVE-2022-24714

Icinga Web 2 is an open source monitoring web interface, framework and
command-line interface. Installations of Icinga 2 with the IDO writer enabled
are affected. If you use service custom variables in role restrictions, and you
regularly decommission service objects, users with said roles may still have
access to a collection of content. Note that this only applies if a role has
implicitly permitted access to hosts, due to permitted access to at least one of
their services. If access to a host is permitted by other means, no sensible
information has been disclosed to unauthorized users. This issue has been
resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.

Upstream fix:
https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24714
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24714
https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf
https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293
Comment 1 Thomas Leroy 2022-03-09 09:37:28 UTC
Should be affected:
- openSUSE:Factory                     v2.9.5
- openSUSE:Backports:SLE-15-SP3        v2.7.4
- openSUSE:Backports:SLE-15-SP4        v2.7.4
Comment 2 OBSbugzilla Bot 2022-03-18 13:30:09 UTC
This is an autogenerated message for OBS integration:
This bug (1196913) was mentioned in
https://build.opensuse.org/request/show/962690 Backports:SLE-12 / icingaweb2
https://build.opensuse.org/request/show/962691 Backports:SLE-15-SP3 / icingaweb2
https://build.opensuse.org/request/show/962692 Backports:SLE-15-SP4 / icingaweb2
Comment 3 Swamp Workflow Management 2022-03-21 14:21:11 UTC
openSUSE-SU-2022:0087-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1196911,1196913
CVE References: CVE-2022-24714,CVE-2022-24715
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    icingaweb2-2.8.6-15.1
Comment 4 Swamp Workflow Management 2022-03-31 13:21:15 UTC
openSUSE-SU-2022:0097-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1196911,1196913
CVE References: CVE-2022-24714,CVE-2022-24715
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    icingaweb2-2.8.6-bp153.2.3.1
Comment 5 Eric Schirra 2022-04-08 11:42:39 UTC
Leap 15.4 has now 2.8.6