CVE-2018-18249

Name of the Vulnerable Software and Affected Versions Icinga Web 2 versions prior to 2.6.2

Description The issue allows for the injection of PHP ini-file directives through environment variables. This can be achieved by sending specific information to the attacker, such as using a name parameter with a value like ${PATH} ${APACHE RUN DIR} ${APACHE RUN USER} in API endpoints like "/icingaweb2/navigation/add" or "/icingaweb2/dashboard/new-dashlet".

Recommendations For versions prior to 2.6.2, update to version 2.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the /icingaweb2/navigation/add and /icingaweb2/dashboard/new-dashlet API endpoints to minimize the risk of exploitation. Avoid using the name parameter with untrusted input in these endpoints until the issue is resolved.