CVE-2021-32747

Name of the Vulnerable Software and Affected Versions Icinga Web 2 versions 2.0.0 through 2.8.2

Description A vulnerability exists in Icinga Web 2 where custom variables are exposed to unauthorized users. Custom variables are user-defined keys and values on configuration objects in Icinga 2, commonly used to reference secrets in other configurations. Icinga Web 2 displays these custom variables to logged-in users with access to said hosts or services. Protection rules and blacklists can be set up to protect the secrets, but these have no effect when custom variables are accessed using an undocumented URL parameter. This parameter allows custom variables to be shown as-is in the result, even when exporting to JSON or CSV.

Recommendations For versions 2.0.0 through 2.8.2, update to version 2.9.0, 2.8.3, or 2.7.5 to resolve the issue. As a temporary workaround, set up a restriction to hide hosts and services with the custom variable in question.