FKIE_CVE-2025-34272

Vulnerability from fkie_nvd - Published: 2025-10-30 22:15 - Updated: 2025-11-06 16:29
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
In Nagios Log Server versions prior to 2024R2.0.3, when a user's configured default dashboard is deleted, the application does not reliably fall back to an empty, default dashboard. In some implementations this can result in an unexpected dashboard being presented as the user's default view. Depending on the product's dashboard sharing and access policies, this behavior may cause information exposure or unexpected privilege exposure.
References
disclosure@vulncheck.comhttps://www.nagios.com/changelog/#log-serverRelease Notes
disclosure@vulncheck.comhttps://www.nagios.com/products/security/#log-server-2024R2Vendor Advisory
disclosure@vulncheck.comhttps://www.vulncheck.com/advisories/nagios-log-server-non-empty-default-dashboard-fallbackThird Party Advisory
Impacted products
Vendor Product Version
nagios log_server *
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
nagios log_server 2024
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nagios:log_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "87E74637-713C-4DD7-B97E-2F247B7B12B1",
              "versionEndExcluding": "2024",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1:*:*:*:*:*:*",
              "matchCriteriaId": "B93D415C-B2C0-42CE-B9B3-29C29A3DCC16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.1:*:*:*:*:*:*",
              "matchCriteriaId": "997B64B5-A3F2-4D0E-B05E-CCA76D598C18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.2:*:*:*:*:*:*",
              "matchCriteriaId": "D20F6746-83DD-49AE-8C3D-AF2FFB47A89E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.1:*:*:*:*:*:*",
              "matchCriteriaId": "5EF32AF5-19EA-495A-AB28-F78F33DDEC3F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.2:*:*:*:*:*:*",
              "matchCriteriaId": "4C26DE7A-37AA-4570-81C1-2E0C1A9026F7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3:*:*:*:*:*:*",
              "matchCriteriaId": "52C22468-A773-49C8-81AD-9B76C26BFFD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.1:*:*:*:*:*:*",
              "matchCriteriaId": "7CEC223A-A3EE-4C51-8B71-E19C73B9215C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.2:*:*:*:*:*:*",
              "matchCriteriaId": "DB7A3A2A-DF36-4495-A5FE-826085120997",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.3:*:*:*:*:*:*",
              "matchCriteriaId": "0AC10FEF-5606-4949-9E5E-E44FE1CE418D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.4:*:*:*:*:*:*",
              "matchCriteriaId": "EC2BBD0F-12FE-4A8F-894E-ABAEEE081E10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.5:*:*:*:*:*:*",
              "matchCriteriaId": "16861134-A375-4918-8171-77C14A3351EB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r2:*:*:*:*:*:*",
              "matchCriteriaId": "6AAEC3D7-AD80-4647-9130-F42CE4785906",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r2.0.1:*:*:*:*:*:*",
              "matchCriteriaId": "DB3DFA03-0D49-4E43-9041-D7C30615B3D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nagios:log_server:2024:r2.0.2:*:*:*:*:*:*",
              "matchCriteriaId": "2333DBDE-6F1F-4286-B58C-74ABE18B9469",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Nagios Log Server versions prior to 2024R2.0.3, when a user\u0027s configured default dashboard is deleted, the application does not reliably fall back to an empty, default dashboard. In some implementations this can result in an unexpected dashboard being presented as the user\u0027s default view. Depending on the product\u0027s dashboard sharing and access policies, this behavior may cause information exposure or unexpected privilege exposure."
    }
  ],
  "id": "CVE-2025-34272",
  "lastModified": "2025-11-06T16:29:24.517",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-10-30T22:15:47.810",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.nagios.com/changelog/#log-server"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.nagios.com/products/security/#log-server-2024R2"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.vulncheck.com/advisories/nagios-log-server-non-empty-default-dashboard-fallback"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.