CVE-2024-49369

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.

Database specific

{
    "cwe_ids": [
        "CWE-295"
    ]
}

References

Affected packages

Git / github.com/icinga/icinga2

Affected ranges

Type: GIT
Repo: https://github.com/icinga/icinga2
Events: Introduced

ac7f4fada837587568d069341e6dc11c309afb78

Fixed

5cde51ca35a1177c980223ab8d528f139aec9934

Type: GIT
Repo: https://github.com/icinga/icinga2
Events: Introduced

338d0aaa8ca17b94cc84048d4811c0c478f363a4

Fixed

e2dc726076f54fac7d8ca862e078ce16fb08a4b6

Type: GIT
Repo: https://github.com/icinga/icinga2
Events: Introduced

aaccd0448feff8769b3c825c5c13b9fd6fbeed27

Fixed

0eb2949923d2483b919f2f0f19d2efe704842818

Type: GIT
Repo: https://github.com/icinga/icinga2
Events: Introduced

0d5802937ba274fd3b9e13a48c4638cc104ad577

Fixed

45452629db2e82a89cb1c1ee44c88b2eec832cdf

Affected versions

v2.*

v2.10.0

v2.10.1

v2.10.2

v2.10.3

v2.10.4

v2.10.5

v2.11.0

v2.11.0-rc1

v2.11.1

v2.11.10

v2.11.11

v2.11.2

v2.11.3

v2.11.4

v2.11.5

v2.11.6

v2.11.7

v2.11.8

v2.11.9

v2.12.0

v2.12.1

v2.12.10

v2.12.2

v2.12.3

v2.12.4

v2.12.5

v2.12.6

v2.12.7

v2.12.8

v2.12.9

v2.13.0

v2.13.1

v2.13.2

v2.13.3

v2.13.4

v2.13.5

v2.13.6

v2.13.7

v2.13.8

v2.13.9

v2.14.0

v2.14.1

v2.14.2

v2.4.0

v2.4.1

v2.4.10

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.7.0

v2.7.1

v2.7.2

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.9.0

v2.9.1

v2.9.2