CVE-2025-23203 — Sensitive Information Exposure in Icingaweb2-module-director

CWE-200 — Sensitive Information Exposure CWE-284 — Improper Access Control4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 64.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icinga Icingaweb2-module-director

Timeline

PublishedMar 26

Description

Icinga Director is an Icinga config deployment tool. A Security vulnerability has been found starting in version 1.0.0 and prior to 1.10.4 and 1.11.4 on several director endpoints of REST API. To reproduce this vulnerability an authenticated user with permission to access the Director is required (plus api access with regard to the api endpoints). And even though some of these Icinga Director users are restricted from accessing certain objects, are able to retrieve information related to them if…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:NExploitability: 1.2 | Impact: 4.2

Affected Packages2 packages

▶Debianicinga/icingaweb2-module-director< 1.11.4-1+1

▶CVEListV5icinga/icingaweb2-module-director>= 1.0.0, < 1.10.4, >= 1.11.0, < 1.11.4+1

🔴Vulnerability Details

OSV

CVE-2025-23203: Icinga Director is an Icinga config deployment tool↗2025-03-26

▶

CVEList

Icinga has rest API endpoints accessible to restricted users↗2025-03-26

▶

📋Vendor Advisories

Debian

CVE-2025-23203: icingaweb2-module-director - Icinga Director is an Icinga config deployment tool. A Security vulnerability ha...↗2025

▶