CVE-2025-61789
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-16

Last updated on: 2025-12-11

Assigner: GitHub, Inc.

Description
Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-16
Last Modified
2025-12-11
Generated
2026-06-16
AI Q&A
2025-10-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61789
EUVD
EUVD-2025-34795
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
icinga icinga_db_web to 1.1.4 (exc)
icinga icinga_db_web From 1.2.0 (inc) to 1.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Icinga DB Web versions before 1.1.4 and 1.2.3, where an authorized user can exploit a custom variable in a filter that is supposed to be protected or hidden to guess the values assigned to that variable. This means that even variables meant to be protected or denied can be inferred by such users. Versions 1.1.4 and 1.2.3 mitigate this by responding with an error when such a custom variable is used.

Impact Analysis

The vulnerability allows an authorized user to guess sensitive values of protected or hidden custom variables in Icinga DB Web. This can lead to unauthorized disclosure of sensitive information, potentially compromising confidentiality. The CVSS score indicates a moderate impact on confidentiality with no impact on integrity or availability.

Mitigation Strategies

Upgrade Icinga DB Web to version 1.1.4 or 1.2.3 or later, as these versions respond with an error when a protected or hidden custom variable is used in a filter, preventing the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61789. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart