CVE-2025-61907

EUVD-2025-34794

16.10.2025, 18:15

Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables not permitted by the variables permission and objects not permitted by the corresponding objects/query permissions. The vulnerability is fixed in versions 2.15.1, 2.14.7, and 2.13.13.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 14%

Affected Products (NVD)

Vendor	Product	Version
icinga	icinga	2.4.0 ≤ 𝑥 < 2.13.13
icinga	icinga	2.14.0 ≤ 𝑥 < 2.14.7
icinga	icinga	2.15.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

icinga2

bookworm	no-dsa
bullseye	postponed
bullseye (security)	vulnerable
forky	2.15.2-1 fixed
sid	2.15.2-2 fixed
trixie	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

icinga2

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
plucky	ignored
questing	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/Icinga/icinga2/commit/56255ac7a689b9e198742d2fca6f7459a54c85a3

https://github.com/Icinga/icinga2/security/advisories/GHSA-gg32-w9rm-vp2v