corrective releases of the package , which provides a web interface for the monitoring system . The proposed updates fixed a critical (CVE-2020-24368) allowing an unauthenticated attacker to access files on a server with the privileges of the Icinga Web process (usually the user under which the http server or fpm is running).
A successful attack requires the presence of one of the third-party modules supplied with images or icons. Among such modules are Icinga Business Process Modeling, Icinga Director,
Icinga Reporting, Maps Module and Globe Module. By themselves, there are no vulnerabilities in these modules, but they are factors that allow organizing an attack on Icinga Web.
The attack is carried out by sending HTTP GET or POST requests to the handler that performs the return of images, access to which does not require an account. For example, if Icinga Web 2 is available as "/icingaweb2" and the system has a businessprocess module installed in the /usr/share/icingaweb2/modules directory, to read the contents of the /etc/os-release file, you can send a request "GET /icingaweb2/static /img?module_name=businessprocess&file=../../../../../../../etc/os-release".
Source: opennet.ru