FKIE_CVE-2025-34270

Vulnerability from fkie_nvd - Published: 2025-10-30 22:15 - Updated: 2026-06-17 09:13
Severity
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to administrators or anyone with access to import results.
References
disclosure@vulncheck.comhttps://support.nagios.com/kb/article/authenticating-and-importing-users-with-ad-and-ldap-995.htmlNot Applicable
disclosure@vulncheck.comhttps://www.nagios.com/changelog/#log-serverRelease Notes
disclosure@vulncheck.comhttps://www.nagios.com/products/security/#log-server-2024R2Vendor Advisory
disclosure@vulncheck.comhttps://www.vulncheck.com/advisories/nagios-log-server-ad-ldap-import-password-not-obfuscatedThird Party Advisory
Impacted products
Vendor Product Version
nagios log_server *
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "AD/LDAP user import workflow"
          ],
          "product": "Log Server",
          "vendor": "Nagios",
          "versions": [
            {
              "lessThan": "2024R2.0.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "disclosure@vulncheck.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nagios:log_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "87E74637-713C-4DD7-B97E-2F247B7B12B1",
              "versionEndExcluding": "2024",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1:*:*:*:*:*:*",
              "matchCriteriaId": "B93D415C-B2C0-42CE-B9B3-29C29A3DCC16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.1:*:*:*:*:*:*",
              "matchCriteriaId": "997B64B5-A3F2-4D0E-B05E-CCA76D598C18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.2:*:*:*:*:*:*",
              "matchCriteriaId": "D20F6746-83DD-49AE-8C3D-AF2FFB47A89E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.1:*:*:*:*:*:*",
              "matchCriteriaId": "5EF32AF5-19EA-495A-AB28-F78F33DDEC3F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.2:*:*:*:*:*:*",
              "matchCriteriaId": "4C26DE7A-37AA-4570-81C1-2E0C1A9026F7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3:*:*:*:*:*:*",
              "matchCriteriaId": "52C22468-A773-49C8-81AD-9B76C26BFFD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.1:*:*:*:*:*:*",
              "matchCriteriaId": "7CEC223A-A3EE-4C51-8B71-E19C73B9215C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.2:*:*:*:*:*:*",
              "matchCriteriaId": "DB7A3A2A-DF36-4495-A5FE-826085120997",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.3:*:*:*:*:*:*",
              "matchCriteriaId": "0AC10FEF-5606-4949-9E5E-E44FE1CE418D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.4:*:*:*:*:*:*",
              "matchCriteriaId": "EC2BBD0F-12FE-4A8F-894E-ABAEEE081E10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.5:*:*:*:*:*:*",
              "matchCriteriaId": "16861134-A375-4918-8171-77C14A3351EB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r2:*:*:*:*:*:*",
              "matchCriteriaId": "6AAEC3D7-AD80-4647-9130-F42CE4785906",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r2.0.1:*:*:*:*:*:*",
              "matchCriteriaId": "DB3DFA03-0D49-4E43-9041-D7C30615B3D5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to administrators or anyone with access to import results."
    }
  ],
  "id": "CVE-2025-34270",
  "lastModified": "2026-06-17T09:13:46.530",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2025-34270",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2025-10-31T15:15:14.131909Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2025-10-30T22:15:47.533",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://support.nagios.com/kb/article/authenticating-and-importing-users-with-ad-and-ldap-995.html"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.nagios.com/changelog/#log-server"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.nagios.com/products/security/#log-server-2024R2"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.vulncheck.com/advisories/nagios-log-server-ad-ldap-import-password-not-obfuscated"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-312"
        },
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.