Candidate: CVE-2017-16933
PublicDate: 2017-11-24 05:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16933
 https://github.com/Icinga/icinga2/issues/5793
Description:
 etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call
 for a filename in a user-writable directory, which allows local users to
 gain privileges by leveraging access to the $ICINGA2_USER account for
 creation of a link.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.0 HIGH]


Patches_icinga2:
upstream_icinga2: released (2.8.4-1)
precise/esm_icinga2: DNE
trusty_icinga2: DNE
trusty/esm_icinga2: DNE
xenial_icinga2: ignored (end of standard support, was needed)
zesty_icinga2: ignored (reached end-of-life)
artful_icinga2: ignored (reached end-of-life)
bionic_icinga2: needed
cosmic_icinga2: ignored (reached end-of-life)
disco_icinga2: not-affected (2.10.2-1)
eoan_icinga2: not-affected (2.10.2-1)
focal_icinga2: not-affected (2.10.2-1)
groovy_icinga2: not-affected (2.10.2-1)
hirsute_icinga2: not-affected (2.10.2-1)
impish_icinga2: not-affected (2.10.2-1)
jammy_icinga2: not-affected (2.10.2-1)
devel_icinga2: not-affected (2.10.2-1)