CVE-2022-24714: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-24714 affects Icinga Web 2, an open source monitoring web interface, framework and command-line interface. The vulnerability was discovered and disclosed on March 8, 2022, affecting installations of Icinga 2 with the IDO writer enabled. The issue specifically impacts systems where service custom variables are used in role restrictions and service objects are regularly decommissioned (GitHub Advisory).

The vulnerability allows users with specific roles to maintain access to host-related content even after associated services are decommissioned. This occurs when a role has implicitly permitted access to hosts due to permitted access to at least one of their services. The issue was patched in versions 2.8.6, 2.9.6, and 2.10 of Icinga Web 2. The vulnerability is rated as Medium severity (Ubuntu CVE).

When exploited, the vulnerability can lead to unauthorized access to several components including contactgroups, contacts, hosts, host events, host comments, host downtimes, and hostgroups. However, this only applies in cases where a role has implicitly permitted access to hosts through service permissions. If host access is permitted through other means, no sensitive information is disclosed to unauthorized users (GitHub Advisory).

The primary mitigation is to upgrade to the patched versions (2.8.6, 2.9.6, or 2.10) of Icinga Web 2. For users unable to upgrade immediately, there are no documented workarounds available. System administrators should review their role-based access controls and service decommissioning procedures (Gentoo Security).