CVE-2020-14004

An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged icinga2 user.

References

Affected packages

Git / github.com/icinga/icinga2

Affected ranges

Type

GIT

Repo

https://github.com/icinga/icinga2

Events

Introduced

30384a4340011723869969e76a3dd2801786cf2e

Last affected

911c14fad87719aa6bc95b17ddf579acd31acf83

Introduced

Last affected

71cefb9ea4e5f0f824ca78bb92ff1332b0165726

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "last_affected": "2.11.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.12.0-rc1"
        }
    ]
}

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.1.0

v2.1.1

v2.10.0

v2.10.1

v2.11.0

v2.11.0-rc1

v2.11.1

v2.11.2

v2.11.3

v2.12.0-rc1

v2.2.0

v2.3.0

v2.4.0

v2.5.0

v2.6.0

v2.6.1

v2.7.0

v2.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-14004.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.0-sp1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.0-sp2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.2"
            }
        ]
    }
]