Search
Find a vulnerability
Search criteria
4 vulnerabilities found for icingadb-web by Icinga
CVE-2025-61789 (GCVE-0-2025-61789)
Vulnerability from nvd – Published: 2025-10-16 17:00 – Updated: 2025-10-16 18:03
VLAI
Title
Icinga DB Web hidden/protected custom variables are prone to filter enumeration
Summary
Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Icinga/icingadb-web/security/a… | x_refsource_CONFIRM |
| https://github.com/Icinga/icingadb-web/commit/5e9… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Icinga | icingadb-web |
Affected:
< 1.1.4
Affected: >= 1.2.0, < 1.2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61789",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:03:04.157632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:03:11.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingadb-web",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.4"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:00:32.247Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429"
},
{
"name": "https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18"
}
],
"source": {
"advisory": "GHSA-w57j-28jc-8429",
"discovery": "UNKNOWN"
},
"title": "Icinga DB Web hidden/protected custom variables are prone to filter enumeration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61789",
"datePublished": "2025-10-16T17:00:32.247Z",
"dateReserved": "2025-09-30T19:43:49.903Z",
"dateUpdated": "2025-10-16T18:03:11.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53840 (GCVE-0-2025-53840)
Vulnerability from nvd – Published: 2025-07-16 13:34 – Updated: 2025-07-18 14:56
VLAI
Title
Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability
Summary
Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Icinga/icingadb-web/security/a… | x_refsource_CONFIRM |
| https://github.com/Icinga/icingadb-web/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Icinga | icingadb-web |
Affected:
>= 1.2.0, < 1.2.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-18T14:55:55.415220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T14:56:03.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingadb-web",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren\u0027t meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host\u0027s or service\u0027s detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T13:34:37.477Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473"
},
{
"name": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2"
}
],
"source": {
"advisory": "GHSA-q2w7-mrx8-5473",
"discovery": "UNKNOWN"
},
"title": "Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53840",
"datePublished": "2025-07-16T13:34:37.477Z",
"dateReserved": "2025-07-09T14:14:52.532Z",
"dateUpdated": "2025-07-18T14:56:03.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61789 (GCVE-0-2025-61789)
Vulnerability from cvelistv5 – Published: 2025-10-16 17:00 – Updated: 2025-10-16 18:03
VLAI
Title
Icinga DB Web hidden/protected custom variables are prone to filter enumeration
Summary
Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Icinga/icingadb-web/security/a… | x_refsource_CONFIRM |
| https://github.com/Icinga/icingadb-web/commit/5e9… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Icinga | icingadb-web |
Affected:
< 1.1.4
Affected: >= 1.2.0, < 1.2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61789",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:03:04.157632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:03:11.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingadb-web",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.4"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:00:32.247Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429"
},
{
"name": "https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18"
}
],
"source": {
"advisory": "GHSA-w57j-28jc-8429",
"discovery": "UNKNOWN"
},
"title": "Icinga DB Web hidden/protected custom variables are prone to filter enumeration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61789",
"datePublished": "2025-10-16T17:00:32.247Z",
"dateReserved": "2025-09-30T19:43:49.903Z",
"dateUpdated": "2025-10-16T18:03:11.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53840 (GCVE-0-2025-53840)
Vulnerability from cvelistv5 – Published: 2025-07-16 13:34 – Updated: 2025-07-18 14:56
VLAI
Title
Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability
Summary
Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Icinga/icingadb-web/security/a… | x_refsource_CONFIRM |
| https://github.com/Icinga/icingadb-web/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Icinga | icingadb-web |
Affected:
>= 1.2.0, < 1.2.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-18T14:55:55.415220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T14:56:03.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingadb-web",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren\u0027t meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host\u0027s or service\u0027s detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T13:34:37.477Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473"
},
{
"name": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2"
}
],
"source": {
"advisory": "GHSA-q2w7-mrx8-5473",
"discovery": "UNKNOWN"
},
"title": "Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53840",
"datePublished": "2025-07-16T13:34:37.477Z",
"dateReserved": "2025-07-09T14:14:52.532Z",
"dateUpdated": "2025-07-18T14:56:03.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}