CVE-2020-24368: Path Traversal
First published: Wed Aug 19 2020(Updated: )
Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/icingaweb2 | 2.6.2-3+deb10u1 2.8.2-2 2.11.4-2+deb12u1 2.12.0-1 | |
| Icinga Icinga Web 2 | >=2.0.0<2.6.4 | |
| Icinga Icinga Web 2 | >=2.7.0<2.7.4 | |
| Icinga Icinga Web 2 | >=2.8.0<2.8.2 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10 | |
| Suse Package Hub | ||
| SUSE Linux Enterprise | =12.0 | |
| debian/icingaweb2 | <=2.6.2-3<=2.8.1-1<=2.0.0~beta3-1 | 2.8.2-1 2.6.2-3+deb10u1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/
- https://github.com/Icinga/icingaweb2/issues/4226
- https://github.com/Icinga/icingaweb2/commit/5700caf5f2ebd8a20ce2bd9ca30cb471f8b7487e
- https://github.com/Icinga/icingaweb2/commit/3035efac65ca2f7977916bd117056aa411776dfd
- https://security-tracker.debian.org/tracker/CVE-2020-24368
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00026.html
- https://github.com/Icinga/icingaweb2/blob/master/CHANGELOG.md
- https://lists.debian.org/debian-lts-announce/2020/08/msg00040.html
- https://security.gentoo.org/glsa/202208-05
- https://www.debian.org/security/2020/dsa-4747
- https://salsa.debian.org/nagios-team/pkg-icingaweb2/-/commits/buster
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968833
Frequently Asked Questions
What is the vulnerability ID of this security issue?
The vulnerability ID of this security issue is CVE-2020-24368.
What is the severity level of CVE-2020-24368?
The severity level of CVE-2020-24368 is high, with a severity value of 7.5.
What is the affected software?
The affected software is Icinga Web2 versions 2.0.0 through 2.6.4, 2.7.4, and 2.8.2.
How can an attacker exploit this vulnerability?
An attacker can exploit this vulnerability by accessing arbitrary files that are readable by the process running Icinga Web 2.
How can I fix CVE-2020-24368?
To fix CVE-2020-24368, update Icinga Web2 to versions 2.6.4, 2.7.4, or 2.8.2.
- collector/security-tracker-debian
- collector/nvd-index
- collector/debian-bugs
- alias/CVE-2020-24368
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- package-manager/debian
- vendor/icinga
- canonical/icinga icinga web 2
- version/icinga icinga web 2/2.0.0
- version/icinga icinga web 2/2.7.0
- version/icinga icinga web 2/2.8.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10
- vendor/suse
- canonical/suse package hub
- canonical/suse linux enterprise
- version/suse linux enterprise/12.0