CVE-2021-32743

Name of the Vulnerable Software and Affected Versions Icinga versions prior to 2.11.10 Icinga versions 2.12.0 through 2.12.4

Description The issue concerns the exposure of credentials for external services through the API to authenticated API users with read permissions for the corresponding object types. Specifically, IdoMysqlConnection and IdoPgsqlConnection expose the password of the user used to connect to the database, IcingaDB exposes the password used to connect to the Redis server, and ElasticsearchWriter exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify, and delete information there. If credentials with more permissions are in use, this increases the impact accordingly.

Recommendations For Icinga versions prior to 2.11.10, update to version 2.11.10 or later to resolve the issue. For Icinga versions 2.12.0 through 2.12.4, update to version 2.12.5 or later to resolve the issue. As a temporary workaround, restrict API user permissions to not allow querying of any affected objects, either by explicitly listing only the required object types for object query permissions, or by applying a filter rule.