9.8

CVE-2024-49369

EPSS 14.77%
Veröffentlicht 12.11.2024 17:15:08
Zuletzt bearbeitet 26.11.2025 13:01:15
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Icinga ≫ Icinga Version >= 2.4.0 < 2.11.12

Icinga ≫ Icinga Version >= 2.12.0 < 2.12.11

Icinga ≫ Icinga Version >= 2.13.0 < 2.13.10

Icinga ≫ Icinga Version >= 2.14.0 < 2.14.3

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	14.77%	0.942

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://github.com/Icinga/icinga2/commit/0419a2c36de408e9a703aec0962061ec9a285d3c

Patch

https://github.com/Icinga/icinga2/commit/2febc5e18ae0c93d989e64ebc2a9fd90e7205ad8

Patch

https://github.com/Icinga/icinga2/commit/3504fc7ed688c10d86988e2029a65efc311393fe

Patch

https://github.com/Icinga/icinga2/commit/869a7d6f0fe38c748e67bacc1fbdd42c933030f6

Patch

https://github.com/Icinga/icinga2/commit/8fed6608912c752b337d977f730547875a820831

Patch

https://github.com/Icinga/icinga2/security/advisories/GHSA-j7wq-r9mg-9wpv

Patch

Vendor Advisory

https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3

Release Notes

https://lists.debian.org/debian-lts-announce/2024/11/msg00010.html

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-49369

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-49369

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-49369

EUVD