Icinga DB Web Exposure of Sensitive Information to an Unauthorized...

2.4 / 10

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

Description

Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.

Basic Information

ID CVE-2025-53840

Source GitHub_M

Published Jul 16, 2025 at 13:34

Modified Jul 18, 2025 at 14:56

Affected Product

Vendor Icinga

Product icingadb-web

Version >= 1.2.0, < 1.2.2

Affected Versions Icinga icingadb-web >= 1.2.0, < 1.2.2

CWE Classification

CWE-200

References

{
    "lastseen": "",
    "description": "Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.",
    "published": "2025-07-16T13:34:37.477Z",
    "modified": "2025-07-18T14:56:03.369Z",
    "type": "cve",
    "title": "Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability",
    "source": "GitHub_M",
    "references": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473\nhttps://github.com/Icinga/icingadb-web/releases/tag/v1.2.2",
    "id": "CVE-2025-53840",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "Icinga icingadb-web >= 1.2.0, < 1.2.2",
    "sourceHref": "",
    "cvss": {
        "score": 2.4,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "icingadb-web",
    "version": ">= 1.2.0, < 1.2.2",
    "vendor": "Icinga",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability_CVE-2025-53840