CVE-2025-48057

Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.14.6, the VerifyCertificate() function can be tricked into incorrectly treating certificates as valid. This allows an attacker to send a malicious certificate request that is then treated as a renewal of an already existing certificate, resulting in the attacker obtaining a valid certificate that can be used to impersonate trusted nodes. This only occurs when Icinga 2 is built with OpenSSL older than version 1.1.0. This issue has been patched in versions 2.12.12, 2.13.12, and 2.14.6.

CVSS

No CVSS.

References

Link	Resource
https://github.com/Icinga/icinga2/commit/34c93a2542bbe4e9886d15bc17ec929ead1aa152
https://github.com/Icinga/icinga2/commit/4023128be42b18a011dda71ddee9ca79955b89cb
https://github.com/Icinga/icinga2/commit/60f75f4a3d5cbb234eb3694ba7e9076a1a5b8776
https://github.com/Icinga/icinga2/commit/9ad5683aab9eb392c6737ff46c830a945c9e240f
https://github.com/Icinga/icinga2/commit/9b2c05d0cc09210bdeade77cf9a73859250fc48d
https://github.com/Icinga/icinga2/security/advisories/GHSA-7vcf-f5v9-3wr6

Configurations

No configuration.

History

28 May 2025, 15:01

Type	Values Removed	Values Added
Summary		(es) Icinga 2 es un sistema de monitorización que comprueba la disponibilidad de los recursos de red, notifica a los usuarios sobre interrupciones y genera datos de rendimiento para la generación de informes. En versiones anteriores a las 2.12.12, 2.13.12 y 2.14.6, la función VerifyCertificate() podía ser manipulada para que tratara incorrectamente los certificados como válidos. Esto permite a un atacante enviar una solicitud de certificado maliciosa que se trata como una renovación de un certificado ya existente, lo que permite al atacante obtener un certificado válido que puede usar para suplantar nodos de confianza. Esto solo ocurre cuando Icinga 2 se compila con OpenSSL anterior a la versión 1.1.0. Este problema se ha corregido en las versiones 2.12.12, 2.13.12 y 2.14.6.

27 May 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-27 17:15

Updated : 2025-05-28 15:01

NVD link : CVE-2025-48057

Mitre link : CVE-2025-48057

CVE.ORG link : CVE-2025-48057

JSON object : View

Products Affected

No product.

CWE

CWE-296

Improper Following of a Certificate's Chain of Trust

JSON object

Attach tags to CVE-2025-48057

Attach tags to `CVE-2025-48057`