CVE-2025-61789
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-12-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| icinga | icinga_db_web | to 1.1.4 (exc) |
| icinga | icinga_db_web | From 1.2.0 (inc) to 1.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Icinga DB Web versions before 1.1.4 and 1.2.3, where an authorized user can exploit a custom variable in a filter that is supposed to be protected or hidden to guess the values assigned to that variable. This means that even variables meant to be protected or denied can be inferred by such users. Versions 1.1.4 and 1.2.3 mitigate this by responding with an error when such a custom variable is used.
How can this vulnerability impact me? :
The vulnerability allows an authorized user to guess sensitive values of protected or hidden custom variables in Icinga DB Web. This can lead to unauthorized disclosure of sensitive information, potentially compromising confidentiality. The CVSS score indicates a moderate impact on confidentiality with no impact on integrity or availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Icinga DB Web to version 1.1.4 or 1.2.3 or later, as these versions respond with an error when a protected or hidden custom variable is used in a filter, preventing the vulnerability.