Today we’re announcing the general availability of Icinga Web v2.8.6 and v2.9.6. Both contain only security vulnerability fixes.
When To Upgrade
If you have v2.9.x installed at the moment, we recommend to upgrade immediately. This is even more important if your installation is reachable from the Internet.
The Vulnerabilities
The first is a path traversal issue that affects installations of v2.9.0 and above. Another one allows admins to run arbitrary PHP code just by accessing the UI. The last one may disclose unwanted details to restricted users. Please check the advisories on GitHub for more details.
- Path traversal in static library file requests for unauthenticated users GHSA-5p3f-rh28-8frw
- SSH resources allow arbitrary code execution for authenticated users GHSA-v9mv-h52f-7g63
- Unwanted disclosure of hosts and related data, linked to decommissioned services GHSA-qcmg-vr56-x9wf
