Icinga Core through 1.14.0 initially executes bin/icinga...
High severity
Unreviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Description
Published by the National Vulnerability Database
Nov 18, 2017
Published to the GitHub Advisory Database
May 13, 2022
Last updated
Feb 1, 2023
Icinga Core through 1.14.0 initially executes bin/icinga as root but supports configuration options in which this file is owned by a non-root account (and similarly can have etc/icinga.cfg owned by a non-root account), which allows local users to gain privileges by leveraging access to this non-root account, a related issue to CVE-2017-14312. This also affects bin/icingastats, bin/ido2db, and bin/log2ido.
References