CVE-2021-32746

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-32746
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32746.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-32746
Downstream
Related
  • GHSA-cmgc-h4cx-3v43
Published
2021-07-12T23:15:07Z
Modified
2025-11-01T16:13:12.673095Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the doc module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the doc module or revoke permission to use it from all users.

References

Affected packages

Git / github.com/icinga/icinga2

Affected ranges

Type
GIT
Repo
https://github.com/icinga/icinga2
Events
Introduced
06ed955cb5bcc51179f92fbbd20303428208827b
Fixed
292d71c43954bfbdcdab596520b6c0a3c7922ecd

Affected versions

v2.*

v2.8.0
v2.8.1
v2.8.2

Git / github.com/icinga/icingaweb2

Affected ranges

Type
GIT
Repo
https://github.com/icinga/icingaweb2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
18996270b264976adf18d20da557d0c2806217c5
Fixed
3b0a0a78df9389c46d3a74611a8eaec2f2b3cc77
Fixed
479f990d5981354c05c362700117fe086cd048a9

Affected versions

v1.*

v1.0-11

v2.*

v2.0.0
v2.0.0-beta1
v2.0.0-beta2
v2.0.0-beta3
v2.0.0-rc1
v2.1.0
v2.1.1
v2.1.2
v2.2.0
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.4.0-2
v2.4.1
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.8.0
v2.8.0-rc1
v2.8.1
v2.8.2