LiveActive security incident?Get immediate response
CVE Record

CVE-2021-32743: Passwords used to access external services inadvertently exposed through API

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify and delete information there. If credentials with more permissions are in use, this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases, these passwords are no longer exposed via the API. As a workaround, API user permissions can be restricted to not allow querying of any affected objects, either by explicitly listing only the required object types for object query permissions, or by applying a filter rule.

HighCVSS 8.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2021-32743 lets authenticated Icinga 2 API users with read access see passwords used by Icinga for connected database, Redis, or Elasticsearch services. Those credentials could let an attacker act as Icinga against those services, with impact depending on the permissions assigned to the credentials.

Executive priority

Treat this as high priority for Icinga environments because it can expose operational credentials to authenticated API users. Prioritize systems where API access is delegated, integrated with automation, or where Icinga service accounts have write or administrative rights to backing services.

Technical view

Affected Icinga 2 versions before 2.11.10 and 2.12.0 through 2.12.4 exposed external-service credentials through the API for affected object types. Sources name IDO MySQL/PostgreSQL, IcingaDB Redis, and ElasticsearchWriter passwords. Fixed releases stop exposing these passwords via API.

Likely exposure

Exposure is likely where Icinga 2 API users have object read permissions and the deployment uses IDO database connections, IcingaDB Redis, or ElasticsearchWriter. The issue requires authenticated API access, so internet exposure matters less than API account scope and credential reuse or over-privilege.

Exploitation context

The bundle does not show CISA KEV listing or cited active exploitation. The attack path is credential disclosure to an authenticated, low-privileged API user, followed by possible impersonation to dependent services. Impact can reach confidentiality, integrity, and availability if exposed credentials have broad service permissions.

Researcher notes

CWE-202 fits because sensitive credentials were exposed through generated API representations. The source bundle supports affected-version, component, impact, fixed-release, and permission-workaround details. It does not provide evidence of public exploitation, unauthenticated access, or affected products beyond Icinga 2.

Mitigation direction

  • Upgrade Icinga 2 to 2.11.10, 2.12.5, or later fixed releases.
  • Restrict API object query permissions away from affected object types.
  • Use API filter rules where broad object permissions cannot be removed.
  • Rotate exposed database, Redis, and Elasticsearch credentials after remediation.
  • Reduce service-account privileges to the minimum Icinga requires.

Validation and detection

  • Inventory Icinga 2 versions across monitored environments.
  • Identify use of IDO, IcingaDB Redis, and ElasticsearchWriter features.
  • Review API users with read permissions for affected object types.
  • Confirm fixed package versions or vendor backports are installed.
  • Check whether exposed external-service credentials were reused elsewhere.
Prepared
Confidence
high
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-202: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
description · low confidence lookup

Database behavior lookup

The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-32743 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
5Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.8CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H2.85.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

8.8High
CVSS 3.1 vector shape for CVE-2021-32743Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Icingaicinga2< 2.11.10, >= 2.12.0, <= 2.12.4Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-202 · source CWE mapping

Exposure of Sensitive Information Through Data Queries

Exposure of Sensitive Information Through Data Queries represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.