CVE-2025-53840

Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.

CVSS v3 2.4 LOW

2.4^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2	Release Notes
https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:icinga:icinga_db_web:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-07-16 14:15

Updated : 2025-12-11 18:26

NVD link : CVE-2025-53840

Mitre link : CVE-2025-53840

CVE.ORG link : CVE-2025-53840

JSON object : View

Products Affected

icinga

icinga_db_web

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2025-53840", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.4, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 0.9}]}, "published": "2025-07-16T14:15:28.173", "references": [{"url": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3."}, {"lang": "es", "value": "Icinga DB Web proporciona una interfaz gr\u00e1fica para la monitorizaci\u00f3n de Icinga. A partir de la versi\u00f3n 1.2.0 y anteriores a la 1.2.2, los usuarios con acceso a las Vistas de Dependencias de Icinga pueden ver hosts y servicios que no deber\u00edan en el mapa de dependencias. Sin embargo, no se revelar\u00e1 el nombre de un objeto ni se acceder\u00e1 a la vista detallada de un host o servicio. Tenga en cuenta que esto solo afecta a las restricciones `filter/hosts` y `filter/services`. `filter/objects` no se ve afectado y restringe los objetos como deber\u00eda. La versi\u00f3n 1.2.2 aplica estas restricciones correctamente. Como soluci\u00f3n alternativa, se puede actualizar a la versi\u00f3n 1.1.3."}], "lastModified": "2025-12-11T18:26:44.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:icinga:icinga_db_web:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66E2DDA8-2B0B-4BEE-9AD7-E62DB25EF134", "versionEndExcluding": "1.2.2", "versionStartIncluding": "1.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}