CVE-2021-32747: 
Icinga vulnerability analysis and mitigation

CVE-2021-32747 affects Icinga Web 2 versions 2.0.0 through 2.8.2, a web interface for monitoring systems. The vulnerability was discovered and disclosed on July 12, 2021, allowing unauthorized access to protected custom variables that could contain sensitive information (GitHub Advisory).

The vulnerability exists in the way Icinga Web 2 handles custom variables through undocumented URL parameters. By using the parameter ?addColumns=hostsecret,servicesecret on specific routes (/icingaweb2/monitoring/list/hosts and /icingaweb2/monitoring/list/services), an attacker can bypass protection rules and blacklists that are meant to hide or mask sensitive custom variables. This affects both UI display and data exports to JSON or CSV formats (GitHub Advisory).

The vulnerability allows attackers to view sensitive information stored in custom variables that should be protected. These custom variables commonly contain secrets used for authentication with monitored services. When exploited, the protection rules that should display asterisks (***) instead of values and blacklists that should hide variables completely become ineffective (GitHub Advisory).

The vulnerability has been patched in versions 2.7.5, 2.8.3, and 2.9.0. As a temporary workaround, administrators can set up restrictions to hide hosts and services with sensitive custom variables using patterns like hostname!=host-with-secrets&servicedescription!=service-with-secrets (GitHub Advisory, GitHub Release).