CVE-2022-24716: 
Linux Debian vulnerability analysis and mitigation

Icinga Web 2, an open-source monitoring web interface, framework and command-line interface, was found to contain a path traversal vulnerability (CVE-2022-24716). The vulnerability affects versions from 2.9.0 up to (excluding) 2.9.6. Discovered in February 2022 and disclosed on March 8, 2022, this security flaw allows unauthenticated users to access files on the local system that are accessible to the web-server user (GitHub Advisory, NVD).

The vulnerability is classified as a path traversal issue (CWE-22) with a CVSS v3.1 base score of 7.5 (HIGH). The flaw exists in the StaticController component where unauthenticated users can use directory traversal sequences (../) to access files outside the intended directory. The vulnerability specifically affects the handling of static library file requests, where insufficient path validation allowed attackers to bypass security restrictions (Sonar Blog).

The vulnerability allows unauthenticated attackers to leak the contents of files accessible to the web-server user, including sensitive icingaweb2 configuration files containing database credentials. If attackers can reach the database service, they could potentially use these credentials to modify existing account passwords and gain authenticated access to the instance (GitHub Advisory, Sonar Blog).

The vulnerability has been patched in Icinga Web 2 versions 2.9.6 and 2.10. Organizations should upgrade to these or newer versions immediately. As a precautionary measure, database credentials should be rotated. For systems that cannot be immediately updated, it is recommended to only allow trusted source IP addresses to access the icingaweb2 instance and the database (GitHub Advisory, Gentoo Advisory).