CVE-2025-53840
BaseFortify
Publication date: 2025-07-16
Last updated on: 2025-12-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| icinga | icinga_db_web | From 1.2.0 (inc) to 1.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Icinga DB Web versions from 1.2.0 up to but not including 1.2.2 allows users who have access to Icinga Dependency Views to see hosts and services on the dependency map that they should not be able to see. However, the names of these objects are not revealed, nor can the users access detailed views of the hosts or services. The issue affects the restrictions filter/hosts and filter/services, but not filter/objects. Version 1.2.2 fixes this issue by properly applying these restrictions.
How can this vulnerability impact me? :
The impact of this vulnerability is limited information disclosure. Users with certain access can see the presence of hosts and services they are not authorized to view on the dependency map, although they cannot see the names or detailed information. This could potentially reveal some network or system structure information that was meant to be restricted.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Icinga DB Web to version 1.2.2 or later where the restrictions are properly applied. Alternatively, as a workaround, you may downgrade to version 1.1.3.