Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2022-24716— Path traversal in Icinga Web 2

CVSS 7.5 · High EPSS 93.19% · P100
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-24716

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Path traversal in Icinga Web 2
Source: NVD (National Vulnerability Database)
Vulnerability Description
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Icinga Web 2 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Icinga Web 2是一个应用软件。Icinga Web 2是Icinga Project开发的下一代开源监控 Web 界面、框架和命令行界面,支持 Icinga 2、Icinga Core 和任何其他兼容 IDO 数据库的监控后端。 Icinga Web 2 存在路径遍历漏洞,该漏洞源于未经认证的Icinga Web 2 用户可以泄露web-server用户可以访问的本地系统文件的内容,包括带有数据库凭据的“icingaweb2”配置文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
Icingaicingaweb2 >= 2.9.0, < 2.9.6 -

II. Public POCs for CVE-2022-24716

#POC DescriptionSource LinkShenlong Link
1Arbitrary File Disclosure Vulnerability in Icinga Web 2 <2.8.6, <2.9.6, <2.10https://github.com/JacobEbben/CVE-2022-24716POC Details
2CVE-2022-24716 (Arbitrary File Disclosure Icingaweb2)https://github.com/joaoviictorti/CVE-2022-24716POC Details
3Nonehttps://github.com/pumpkinpiteam/CVE-2022-24716POC Details
4Arbitrary File Disclosure Vulnerability in Icinga Web 2 <2.8.6, <2.9.6, <2.10https://github.com/doosec101/CVE-2022-24716POC Details
5Nonehttps://github.com/antisecc/CVE-2022-24716POC Details
6Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-24716.yamlPOC Details
7CVE-2022-24716 (Arbitrary File Disclosure Icingaweb2)https://github.com/gmh5225/CVE-2022-24716-2POC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2022-24716

登录查看更多情报信息。

Patches & Fixes for CVE-2022-24716 (1)

Vendor Advisories for CVE-2022-24716 (2)

Same Patch Batch · Icinga · 2022-03-08 · 3 CVEs total

CVE-2022-247158.5 HIGHArbitrary code execution for authenticated users in Icinga Web 2
CVE-2022-247145.3 MEDIUMDisclosure of hosts and related data, linked to decommissioned services in Icinga Web 2

IV. Related Vulnerabilities

Same product: icingaweb2
Same vendor: Icinga
Same weakness: CWE-22

V. Comments for CVE-2022-24716

No comments yet

Leave a comment