CVE-2025-61907

16.10.2025, 18:15

Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables not permitted by the variables permission and objects not permitted by the corresponding objects/query permissions. The vulnerability is fixed in versions 2.15.1, 2.14.7, and 2.13.13.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Vendor	Product	Version
icinga	icinga	2.4.0 ≤ 𝑥 < 2.13.13
icinga	icinga	2.14.0 ≤ 𝑥 < 2.14.7
icinga	icinga	2.15.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

icinga2

bullseye	postponed
trixie	no-dsa
bookworm	no-dsa
bullseye (security)	vulnerable
forky	2.15.1-1 fixed
sid	2.15.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

icinga2

questing	needs-triage
plucky	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/Icinga/icinga2/commit/56255ac7a689b9e198742d2fca6f7459a54c85a3

https://github.com/Icinga/icinga2/security/advisories/GHSA-gg32-w9rm-vp2v