Refine your search
2 vulnerabilities found for icingadb-web by Icinga
CVE-2025-61789 (GCVE-0-2025-61789)
Vulnerability from cvelistv5
Published
2025-10-16 17:00
Modified
2025-10-16 18:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-204 - Observable Response Discrepancy
Summary
Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingadb-web |
Version: < 1.1.4 Version: >= 1.2.0, < 1.2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61789",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:03:04.157632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:03:11.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingadb-web",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.4"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:00:32.247Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429"
},
{
"name": "https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18"
}
],
"source": {
"advisory": "GHSA-w57j-28jc-8429",
"discovery": "UNKNOWN"
},
"title": "Icinga DB Web hidden/protected custom variables are prone to filter enumeration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61789",
"datePublished": "2025-10-16T17:00:32.247Z",
"dateReserved": "2025-09-30T19:43:49.903Z",
"dateUpdated": "2025-10-16T18:03:11.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53840 (GCVE-0-2025-53840)
Vulnerability from cvelistv5
Published
2025-07-16 13:34
Modified
2025-07-18 14:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingadb-web |
Version: >= 1.2.0, < 1.2.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-18T14:55:55.415220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T14:56:03.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingadb-web",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren\u0027t meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host\u0027s or service\u0027s detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T13:34:37.477Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473"
},
{
"name": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2"
}
],
"source": {
"advisory": "GHSA-q2w7-mrx8-5473",
"discovery": "UNKNOWN"
},
"title": "Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53840",
"datePublished": "2025-07-16T13:34:37.477Z",
"dateReserved": "2025-07-09T14:14:52.532Z",
"dateUpdated": "2025-07-18T14:56:03.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}