CVE-2025-61789

Published: Oct 16, 2025Modified: Dec 11, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used.

Affected (2)

Products: Icinga: Icinga Db Web

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Icinga Icinga Db Web	Before 1.1.4
Icinga Icinga Db Web	From 1.2.0 to 1.2.3

Related CWEs

Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References (2)

https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18

Source: security-advisories@github.com

Patch

https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429

Source: security-advisories@github.com

PatchVendor Advisory

Timeline

No history available yet.