CVE-2021-37698

Name: CVE-2021-37698
Creator: NVD / NIST
Published: 2021-08-19T16:15:12.42+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 1.42%

Last modified Jun 17, 2026

CVE-2021-37698 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. EPSS estimates a 1.42% chance of exploitation in the next 30 days.

Description

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6, or 2.11.11 to patch the issue. Such instances should also change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB. There are no workarounds aside from upgrading.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

1.42%

69.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Icinga	Icinga	>= 2.5.0, < 2.11.10
Icinga	Icinga	>= 2.12.0, < 2.12.6
Icinga	Icinga	>= 2.13.0, < 2.13.1
Debian	Debian Linux	9.0

References

https://github.com/Icinga/icinga2/releases/tag/v2.11.11Release Notes, Third Party Advisory
https://github.com/Icinga/icinga2/releases/tag/v2.12.6Release Notes, Third Party Advisory
https://github.com/Icinga/icinga2/releases/tag/v2.13.1Release Notes, Third Party Advisory
https://github.com/Icinga/icinga2/security/advisories/GHSA-cxfm-8j5v-5qr2Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00010.htmlMailing List, Third Party Advisory
https://github.com/Icinga/icinga2/releases/tag/v2.11.11Release Notes, Third Party Advisory
https://github.com/Icinga/icinga2/releases/tag/v2.12.6Release Notes, Third Party Advisory
https://github.com/Icinga/icinga2/releases/tag/v2.13.1Release Notes, Third Party Advisory
https://github.com/Icinga/icinga2/security/advisories/GHSA-cxfm-8j5v-5qr2Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00010.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/11/msg00010.html

Timeline

Published: Aug 19, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-37698?

How severe is CVE-2021-37698?

CVE-2021-37698 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 1.42% probability of exploitation in the next 30 days.

How do I fix CVE-2021-37698?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-37698?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST