Security readout for executives and security teams
Plain-English summary
CVE-2021-32743 lets authenticated Icinga 2 API users with read access see passwords used by Icinga for connected database, Redis, or Elasticsearch services. Those credentials could let an attacker act as Icinga against those services, with impact depending on the permissions assigned to the credentials.
Executive priority
Treat this as high priority for Icinga environments because it can expose operational credentials to authenticated API users. Prioritize systems where API access is delegated, integrated with automation, or where Icinga service accounts have write or administrative rights to backing services.
Technical view
Affected Icinga 2 versions before 2.11.10 and 2.12.0 through 2.12.4 exposed external-service credentials through the API for affected object types. Sources name IDO MySQL/PostgreSQL, IcingaDB Redis, and ElasticsearchWriter passwords. Fixed releases stop exposing these passwords via API.
Likely exposure
Exposure is likely where Icinga 2 API users have object read permissions and the deployment uses IDO database connections, IcingaDB Redis, or ElasticsearchWriter. The issue requires authenticated API access, so internet exposure matters less than API account scope and credential reuse or over-privilege.
Exploitation context
The bundle does not show CISA KEV listing or cited active exploitation. The attack path is credential disclosure to an authenticated, low-privileged API user, followed by possible impersonation to dependent services. Impact can reach confidentiality, integrity, and availability if exposed credentials have broad service permissions.
Researcher notes
CWE-202 fits because sensitive credentials were exposed through generated API representations. The source bundle supports affected-version, component, impact, fixed-release, and permission-workaround details. It does not provide evidence of public exploitation, unauthenticated access, or affected products beyond Icinga 2.
Mitigation direction
- Upgrade Icinga 2 to 2.11.10, 2.12.5, or later fixed releases.
- Restrict API object query permissions away from affected object types.
- Use API filter rules where broad object permissions cannot be removed.
- Rotate exposed database, Redis, and Elasticsearch credentials after remediation.
- Reduce service-account privileges to the minimum Icinga requires.
Validation and detection
- Inventory Icinga 2 versions across monitored environments.
- Identify use of IDO, IcingaDB Redis, and ElasticsearchWriter features.
- Review API users with read permissions for affected object types.
- Confirm fixed package versions or vendor backports are installed.
- Check whether exposed external-service credentials were reused elsewhere.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-202: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCredential and access behavior lookup
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupDatabase behavior lookup
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2021-32743 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 8.8 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H2.85.9Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
8.8HighVector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source materials
- CVE List V5 sourceCVE List V5
- https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7CVE reference · x_refsource_CONFIRM
- https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/CVE reference · x_refsource_MISC
- [debian-lts-announce] 20211110 [SECURITY] [DLA 2816-1] icinga2 security updateCVE reference · mailing-list, x_refsource_MLIST
- https://lists.debian.org/debian-lts-announce/2024/11/msg00010.htmlCVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Exposure of Sensitive Information Through Data Queries
Exposure of Sensitive Information Through Data Queries represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
