CVE-2020-24368

Upstream information

CVE-2020-24368 at MITRE

Description

Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.

---

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores

	National Vulnerability Database
Base Score	4.3
Vector	AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector	Network
Access Complexity	Medium
Authentication	None
Confidentiality Impact	Partial
Integrity Impact	None
Availability Impact	None

CVSS v3 Scores

	National Vulnerability Database
Base Score	7.5
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	None
Availability Impact	None
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1175530 [RESOLVED / FIXED]

SUSE Security Advisories:

• openSUSE-SU-2020:1674-1, published Thu Dec 7 12:55:41 2023

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 12	icingacli >= 2.7.4-12.1 icingaweb2 >= 2.7.4-12.1 icingaweb2-common >= 2.7.4-12.1 icingaweb2-vendor-HTMLPurifier >= 2.7.4-12.1 icingaweb2-vendor-JShrink >= 2.7.4-12.1 icingaweb2-vendor-Parsedown >= 2.7.4-12.1 icingaweb2-vendor-dompdf >= 2.7.4-12.1 icingaweb2-vendor-lessphp >= 2.7.4-12.1 icingaweb2-vendor-zf1 >= 2.7.4-12.1 php-Icinga >= 2.7.4-12.1	Patchnames: openSUSE-2020-1674
SUSE Package Hub 15 SP1	icingacli >= 2.7.4-bp151.5.6.1 icingaweb2 >= 2.7.4-bp151.5.6.1 icingaweb2-common >= 2.7.4-bp151.5.6.1 icingaweb2-vendor-HTMLPurifier >= 2.7.4-bp151.5.6.1 icingaweb2-vendor-JShrink >= 2.7.4-bp151.5.6.1 icingaweb2-vendor-Parsedown >= 2.7.4-bp151.5.6.1 icingaweb2-vendor-dompdf >= 2.7.4-bp151.5.6.1 icingaweb2-vendor-lessphp >= 2.7.4-bp151.5.6.1 icingaweb2-vendor-zf1 >= 2.7.4-bp151.5.6.1 php-Icinga >= 2.7.4-bp151.5.6.1	Patchnames: openSUSE-2020-1674
SUSE Package Hub 15 SP2	icingacli >= 2.7.4-bp152.2.3.1 icingaweb2 >= 2.7.4-bp152.2.3.1 icingaweb2-common >= 2.7.4-bp152.2.3.1 icingaweb2-vendor-HTMLPurifier >= 2.7.4-bp152.2.3.1 icingaweb2-vendor-JShrink >= 2.7.4-bp152.2.3.1 icingaweb2-vendor-Parsedown >= 2.7.4-bp152.2.3.1 icingaweb2-vendor-dompdf >= 2.7.4-bp152.2.3.1 icingaweb2-vendor-lessphp >= 2.7.4-bp152.2.3.1 icingaweb2-vendor-zf1 >= 2.7.4-bp152.2.3.1 php-Icinga >= 2.7.4-bp152.2.3.1	Patchnames: openSUSE-2020-1674
openSUSE Leap 15.1	icingacli >= 2.7.4-lp151.6.8.1 icingaweb2 >= 2.7.4-lp151.6.8.1 icingaweb2-common >= 2.7.4-lp151.6.8.1 icingaweb2-vendor-HTMLPurifier >= 2.7.4-lp151.6.8.1 icingaweb2-vendor-JShrink >= 2.7.4-lp151.6.8.1 icingaweb2-vendor-Parsedown >= 2.7.4-lp151.6.8.1 icingaweb2-vendor-dompdf >= 2.7.4-lp151.6.8.1 icingaweb2-vendor-lessphp >= 2.7.4-lp151.6.8.1 icingaweb2-vendor-zf1 >= 2.7.4-lp151.6.8.1 php-Icinga >= 2.7.4-lp151.6.8.1	Patchnames: openSUSE-2020-1674
openSUSE Leap 15.2	icingacli >= 2.7.4-lp152.2.3.1 icingaweb2 >= 2.7.4-lp152.2.3.1 icingaweb2-common >= 2.7.4-lp152.2.3.1 icingaweb2-vendor-HTMLPurifier >= 2.7.4-lp152.2.3.1 icingaweb2-vendor-JShrink >= 2.7.4-lp152.2.3.1 icingaweb2-vendor-Parsedown >= 2.7.4-lp152.2.3.1 icingaweb2-vendor-dompdf >= 2.7.4-lp152.2.3.1 icingaweb2-vendor-lessphp >= 2.7.4-lp152.2.3.1 icingaweb2-vendor-zf1 >= 2.7.4-lp152.2.3.1 php-Icinga >= 2.7.4-lp152.2.3.1	Patchnames: openSUSE-2020-1674
openSUSE Tumbleweed	icingacli >= 2.8.4-1.6 icingaweb2 >= 2.8.4-1.6 icingaweb2-common >= 2.8.4-1.6 icingaweb2-vendor-HTMLPurifier >= 2.8.4-1.6 icingaweb2-vendor-JShrink >= 2.8.4-1.6 icingaweb2-vendor-Parsedown >= 2.8.4-1.6 icingaweb2-vendor-dompdf >= 2.8.4-1.6 icingaweb2-vendor-lessphp >= 2.8.4-1.6 icingaweb2-vendor-zf1 >= 2.8.4-1.6 php-Icinga >= 2.8.4-1.6	Patchnames: openSUSE-Tumbleweed-2024-10857

---

SUSE Timeline for this CVE

CVE page created: Wed Aug 19 22:22:19 2020
CVE page last modified: Sun Jun 16 01:12:24 2024