Icinga Director REST API Improper Access Control Vulnerability Allowing Sensitive Information Disclosure

A vulnerability exists in Icinga Director versions 1.0.0 prior to 1.10.3 and 1.11.3, allowing restricted users to access sensitive information through several REST API endpoints. Affected endpoints include 'icingaweb2/director/service' (without a specified host name), 'icingaweb2/director/notification', 'icingaweb2/director/serviceset', and 'icingaweb2/director/scheduled-downtime'. Additionally, the 'icingaweb2/director/services?host=filteredHostName' endpoint can be used to confirm the existence of a host, further enabling exploitation. This vulnerability could lead to unauthorized configuration changes, data breaches, and disclosure of sensitive information.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive information, including the ability to manipulate configurations of restricted objects, potentially leading to further exploitation and data breaches.

Remediation

Users are advised to upgrade to Icinga Director versions 1.10.3 or 1.11.3. If an immediate upgrade is not possible, the Director module can be disabled for users other than those with admin roles.