Impact
Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including icingaweb2 configuration files with database credentials.
Patches
This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2.
Database credentials should be rotated.
Workarounds
Only allow trusted source IP addresses to access to the icingaweb2 instance and the database.
References
Further technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.
For more information
If you have any questions or comments about this advisory, you can contact:
- The original reporters, by sending an email to vulnerability.research [at] sonarsource.com;
- The maintainers, by asking for assistance on the forums
thomas-chauchefoin-sonarsource Analyst
Impact
Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including
icingaweb2configuration files with database credentials.Patches
This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2.
Database credentials should be rotated.
Workarounds
Only allow trusted source IP addresses to access to the
icingaweb2instance and the database.References
Further technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.
For more information
If you have any questions or comments about this advisory, you can contact: