CVE-2021-32739

Name of the Vulnerable Software and Affected Versions Icinga versions 2.4.0 through 2.12.4

Description The issue concerns a monitoring system that checks network resource availability and generates performance data. It may allow privilege escalation for authenticated API users. With a read-only user's credentials, an attacker can view most attributes of config objects, including the ticket salt of ApiListener. This information is sufficient to compute a ticket for every possible common name, which, along with the master node's certificate and a self-signed certificate, can be used to request a desired certificate from the system. This certificate may then be used to steal an endpoint or API user's identity.

Recommendations For versions 2.4.0 through 2.12.4, update to version 2.12.5 or 2.11.10 to resolve the issue. As a temporary workaround, consider specifying queryable types explicitly or filter out ApiListener objects to minimize the risk of exploitation.