CVE-2025-53840

EUVD-2025-21706
Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.4 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
GitHub_MCNA
2.4 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Affected Products (NVD)
VendorProductVersion
icingaicinga_db_web
1.2.0 ≤
𝑥
< 1.2.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
icingadb-web
bookworm
1.0.2-1
fixed
forky
1.3.0-1
fixed
sid
1.3.0-1
fixed
trixie
1.1.3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icingadb-web
jammy
dne
noble
not-affected
plucky
not-affected
Common Weakness Enumeration
References
https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2
https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473