icingaweb2: Directory Traversal vulnerability (CVE-2020-24368)

Icinga Web2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2.

Fixed In Version:

Icingaweb v2.6.4, v2.7.4 and v2.8.2.

Reference:

https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24368

Patch:

https://github.com/Icinga/icingaweb2/commit/3035efac65ca2f7977916bd117056aa411776dfd

Affected branches:

master (2682613a)
3.12-stable

Edited Aug 31, 2020 by Francesco Colista

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information