cvelistv5 - cve-2025-53840

CVE-2025-53840 (GCVE-0-2025-53840)

Vulnerability from cvelistv5 – Published: 2025-07-16 13:34 – Updated: 2025-07-18 14:56

Summary

Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.

Severity ?

2.4 (Low)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/Icinga/icingadb-web/security/a…	x_refsource_CONFIRM
	https://github.com/Icinga/icingadb-web/releases/t…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Icinga	icingadb-web	Affected: >= 1.2.0, < 1.2.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53840",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-18T14:55:55.415220Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-18T14:56:03.369Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "icingadb-web",
          "vendor": "Icinga",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.2.0, \u003c 1.2.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren\u0027t meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host\u0027s or service\u0027s detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-16T13:34:37.477Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473"
        },
        {
          "name": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2"
        }
      ],
      "source": {
        "advisory": "GHSA-q2w7-mrx8-5473",
        "discovery": "UNKNOWN"
      },
      "title": "Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-53840",
    "datePublished": "2025-07-16T13:34:37.477Z",
    "dateReserved": "2025-07-09T14:14:52.532Z",
    "dateUpdated": "2025-07-18T14:56:03.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-53840\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-16T14:15:28.173\",\"lastModified\":\"2025-12-11T18:26:44.150\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren\u0027t meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host\u0027s or service\u0027s detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.\"},{\"lang\":\"es\",\"value\":\"Icinga DB Web proporciona una interfaz gr\u00e1fica para la monitorizaci\u00f3n de Icinga. A partir de la versi\u00f3n 1.2.0 y anteriores a la 1.2.2, los usuarios con acceso a las Vistas de Dependencias de Icinga pueden ver hosts y servicios que no deber\u00edan en el mapa de dependencias. Sin embargo, no se revelar\u00e1 el nombre de un objeto ni se acceder\u00e1 a la vista detallada de un host o servicio. Tenga en cuenta que esto solo afecta a las restricciones `filter/hosts` y `filter/services`. `filter/objects` no se ve afectado y restringe los objetos como deber\u00eda. La versi\u00f3n 1.2.2 aplica estas restricciones correctamente. Como soluci\u00f3n alternativa, se puede actualizar a la versi\u00f3n 1.1.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":2.4,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:icinga:icinga_db_web:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.2.0\",\"versionEndExcluding\":\"1.2.2\",\"matchCriteriaId\":\"66E2DDA8-2B0B-4BEE-9AD7-E62DB25EF134\"}]}]}],\"references\":[{\"url\":\"https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53840\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-18T14:55:55.415220Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-18T14:55:59.249Z\"}}], \"cna\": {\"title\": \"Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability\", \"source\": {\"advisory\": \"GHSA-q2w7-mrx8-5473\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 2.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Icinga\", \"product\": \"icingadb-web\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.2.0, \u003c 1.2.2\"}]}], \"references\": [{\"url\": \"https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473\", \"name\": \"https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2\", \"name\": \"https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren\u0027t meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host\u0027s or service\u0027s detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-16T13:34:37.477Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-53840\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-18T14:56:03.369Z\", \"dateReserved\": \"2025-07-09T14:14:52.532Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-16T13:34:37.477Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-53840

Vulnerability from fkie_nvd - Published: 2025-07-16 14:15 - Updated: 2025-12-11 18:26

Severity ?

2.4 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N