CVE-2025-53840

{"id": "CVE-2025-53840", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.4, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 0.9}]}, "published": "2025-07-16T14:15:28.173", "references": [{"url": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3."}, {"lang": "es", "value": "Icinga DB Web proporciona una interfaz gr\u00e1fica para la monitorizaci\u00f3n de Icinga. A partir de la versi\u00f3n 1.2.0 y anteriores a la 1.2.2, los usuarios con acceso a las Vistas de Dependencias de Icinga pueden ver hosts y servicios que no deber\u00edan en el mapa de dependencias. Sin embargo, no se revelar\u00e1 el nombre de un objeto ni se acceder\u00e1 a la vista detallada de un host o servicio. Tenga en cuenta que esto solo afecta a las restricciones `filter/hosts` y `filter/services`. `filter/objects` no se ve afectado y restringe los objetos como deber\u00eda. La versi\u00f3n 1.2.2 aplica estas restricciones correctamente. Como soluci\u00f3n alternativa, se puede actualizar a la versi\u00f3n 1.1.3."}], "lastModified": "2025-12-11T18:26:44.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:icinga:icinga_db_web:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66E2DDA8-2B0B-4BEE-9AD7-E62DB25EF134", "versionEndExcluding": "1.2.2", "versionStartIncluding": "1.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}