Login Sign Up

CVE-2020-24368

7.5 HIGH

📋 TL;DR

CVE-2020-24368 is a directory traversal vulnerability in Icinga Web2 that allows attackers to read arbitrary files accessible by the Icinga Web2 process. This affects Icinga Web2 versions 2.0.0 through 2.6.4, 2.7.4, and 2.8.2. Organizations running vulnerable versions of Icinga Web2 are at risk of sensitive information disclosure.

💻 Affected Systems

Products:
  • Icinga Web2
Versions: 2.0.0 through 2.6.4, 2.7.4, and 2.8.2
Operating Systems: All platforms running Icinga Web2
Default Config Vulnerable: ⚠️ Yes
Notes: All installations within the affected version range are vulnerable regardless of configuration.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Icinga Web 2 by Icinga

View all CVEs affecting Icinga Web 2 →

Icinga Web 2 by Icinga

View all CVEs affecting Icinga Web 2 →

Icinga Web 2 by Icinga

View all CVEs affecting Icinga Web 2 →

Package Hub by Suse

View all CVEs affecting Package Hub →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive configuration files, credentials, or system files, potentially leading to full system compromise if privileged credentials are exposed.

🟠

Likely Case

Attackers read configuration files containing database credentials, API keys, or other sensitive operational data, enabling further attacks against the monitoring infrastructure.

🟢

If Mitigated

With proper file permissions and network segmentation, impact is limited to non-sensitive files accessible only to the Icinga Web2 service account.

🌐 Internet-Facing: HIGH - Internet-facing Icinga Web2 instances are directly accessible to attackers without network controls.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to escalate privileges or move laterally.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Directory traversal vulnerabilities are typically easy to exploit with simple HTTP requests containing path traversal sequences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.6.4, v2.7.4, or v2.8.2

Vendor Advisory: https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/

Restart Required: Yes

Instructions:

1. Backup your current Icinga Web2 configuration. 2. Upgrade to the patched version matching your release track (2.6.x → 2.6.4, 2.7.x → 2.7.4, 2.8.x → 2.8.2). 3. Restart the Icinga Web2 service. 4. Verify the fix by checking the version and testing for the vulnerability.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Icinga Web2 to trusted IP addresses only

# Configure firewall rules to limit access
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

File Permission Hardening

linux

Restrict file permissions for the Icinga Web2 service account

# Limit service account access to necessary directories
chown -R icingaweb2:icingaweb2 /etc/icingaweb2
chmod 750 /etc/icingaweb2
# Remove world-readable permissions from sensitive files
find /etc/icingaweb2 -type f -name '*.conf' -exec chmod 640 {} \;

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Icinga Web2 from untrusted networks
  • Apply file system controls to limit the Icinga Web2 service account to only necessary directories

🔍 How to Verify

Check if Vulnerable:

Check the Icinga Web2 version. If it's between 2.0.0-2.6.4, 2.7.4, or 2.8.2 and not the patched versions, it's vulnerable.

Check Version:

icingacli version | grep 'Icinga Web'

Verify Fix Applied:

After patching, verify the version is 2.6.4, 2.7.4, or 2.8.2 and test with directory traversal attempts that should be blocked.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '../' or similar path traversal sequences in URLs
  • Access to files outside expected Icinga Web2 directories in web server logs
  • Failed file access attempts in Icinga Web2 application logs

Network Indicators:

  • HTTP requests with encoded directory traversal sequences (%2e%2e%2f, ..%2f)
  • Unusual file access patterns from single IP addresses

SIEM Query:

source="web_access.log" AND (url="*..%2f*" OR url="*../*" OR url="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2020-24368
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: August 19, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24368, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)