CVE-2025-61907

16.10.2025, 18:15

Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables not permitted by the variables permission and objects not permitted by the corresponding objects/query permissions. The vulnerability is fixed in versions 2.15.1, 2.14.7, and 2.13.13.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Debian Releases

Debian Product

Codename

icinga2

bullseye	vulnerable
bullseye (security)	vulnerable
bookworm	vulnerable
trixie	vulnerable
forky	vulnerable
sid	2.15.1-1 fixed

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Vulnerability Media Exposure

[GERMAN] Icinga: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Icinga ausnutzen, um Informationen offenzulegen oder einen Denial of Service hervorzurufen.
Published: 2025-10-16T22:00:00+00:00

References

https://github.com/Icinga/icinga2/commit/56255ac7a689b9e198742d2fca6f7459a54c85a3

https://github.com/Icinga/icinga2/security/advisories/GHSA-gg32-w9rm-vp2v