CRITICAL🇵🇱 Wersja polska

CVE-2024-49369

CVSS 9.8v3.1pub. 2024-11-12upd. 2025-11-26

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.

🤖 AI Analysis
How it works

In Icinga 2, starting from version 2.4.0, the TLS certificate verification mechanism (CWE-295 — improper certificate validation) was implemented with flaws. An attacker can present an invalid or forged TLS certificate that will be incorrectly accepted by the system. This enables impersonation of both trusted nodes in the Icinga cluster and ApiUser objects that use TLS client certificates (with the client_cn attribute set) for API authentication.

Impact

An attacker can take full control over Icinga cluster communication and gain unauthorized access to the API with privileges of impersonated users, leading to violations of confidentiality, integrity, and availability of the monitoring system.

Mitigation & patch

Icinga 2 should be updated to version v2.14.3, v2.13.10, v2.12.11, or v2.11.12 — depending on the branch in use. Patches are available in the vendor's GitHub repository.

Who is affected

Icinga 2 in versions 2.4.0 and above (before patches: v2.14.3, v2.13.10, v2.12.11, v2.11.12); also affects installations on Debian Linux

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Debian

    OS
    Debian
    11.0
  • Icinga

    APP
    Icinga
    2.4.0 – 2.11.12 (bez)2.12.0 – 2.12.11 (bez)2.13.0 – 2.13.10 (bez)2.14.0 – 2.14.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki