Candidate: CVE-2022-24714
PublicDate: 2022-03-08 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24714
 https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf
 https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293
Description:
 Icinga Web 2 is an open source monitoring web interface, framework and
 command-line interface. Installations of Icinga 2 with the IDO writer
 enabled are affected. If you use service custom variables in role
 restrictions, and you regularly decommission service objects, users with
 said roles may still have access to a collection of content. Note that this
 only applies if a role has implicitly permitted access to hosts, due to
 permitted access to at least one of their services. If access to a host is
 permitted by other means, no sensible information has been disclosed to
 unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6
 and 2.10 of Icinga Web 2.
 
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3 MEDIUM]


Patches_icingaweb2:
upstream_icingaweb2: released (2.9.6-1)
trusty_icingaweb2: ignored (out of standard support)
xenial_icingaweb2: ignored (out of standard support)
bionic_icingaweb2: not-affected (code not present)
focal_icingaweb2: needed
impish_icingaweb2: needed
jammy_icingaweb2: needed
devel_icingaweb2: needed