{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "2.8.0" }, { "fixed": "2.8.3" } ] }, "events": [ { "introduced": "06ed955cb5bcc51179f92fbbd20303428208827b" }, { "fixed": "292d71c43954bfbdcdab596520b6c0a3c7922ecd" } ], "repo": "https://github.com/icinga/icinga2", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "2.3.0" }, { "fixed": "2.7.5" } ] }, "events": [ { "introduced": "1a7da738aec1e64503c9814dcd330811831c77ab" }, { "fixed": "18996270b264976adf18d20da557d0c2806217c5" }, { "fixed": "479f990d5981354c05c362700117fe086cd048a9" }, { "fixed": "3b0a0a78df9389c46d3a74611a8eaec2f2b3cc77" } ], "repo": "https://github.com/icinga/icingaweb2", "type": "GIT" } ] } ], "details": "Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is possible to gain access to arbitrary files readable by the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, an administrator may disable the `doc` module or revoke permission to use it from all users.", "id": "CVE-2021-32746", "modified": "2026-03-13T21:50:47.338923512Z", "published": "2021-07-12T23:15:07.710Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.7.5" }, { "type": "ADVISORY", "url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.8.3" }, { "type": "ADVISORY", "url": "https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0" }, { "type": "EVIDENCE", "url": "https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43" } ], "related": [ "GHSA-cmgc-h4cx-3v43" ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ] }