medium
5.5
CWE
200 284
Advisory Published
Updated

CVE-2025-23203: Icinga has rest API endpoints accessible to restricted users

First published: Wed Mar 26 2025(Updated: )

Icinga Director is an Icinga config deployment tool. A Security vulnerability has been found starting in version 1.0.0 and prior to 1.10.3 and 1.11.3 on several director endpoints of REST API. To reproduce this vulnerability an authenticated user with permission to access the Director is required (plus api access with regard to the api endpoints). And even though some of these Icinga Director users are restricted from accessing certain objects, are able to retrieve information related to them if their name is known. This makes it possible to change the configuration of these objects by those Icinga Director users restricted from accessing them. This results in further exploitation, data breaches and sensitive information disclosure. Affected endpoints include icingaweb2/director/service, if the host name is left out of the query; icingaweb2/directore/notification; icingaweb2/director/serviceset; and icingaweb2/director/scheduled-downtime. In addition, the endpoint `icingaweb2/director/services?host=filteredHostName` returns a status code 200 even though the services for the host is filtered. This in turn lets the restricted user know that the host `filteredHostName` exists even though the user is restricted from accessing it. This could again result in further exploitation of this information and data breaches. Icinga Director has patches in versions 1.10.3 and 1.11.1. If upgrading is not feasible, disable the director module for the users other than admin role for the time being.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
>=1.0.0<1.10.3>1.11.3

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-23203?

    CVE-2025-23203 has been classified with a moderate severity rating due to its potential impact on authenticated users.

  • How can I fix CVE-2025-23203?

    To mitigate CVE-2025-23203, upgrade Icinga Director to version 1.10.3 or 1.11.3 or later.

  • What versions of Icinga Director are affected by CVE-2025-23203?

    CVE-2025-23203 affects Icinga Director versions between 1.0.0 and 1.10.3, and any version after 1.11.3.

  • Who can exploit CVE-2025-23203?

    CVE-2025-23203 can be exploited by authenticated users who have permission to access the Icinga Director endpoints.

  • What are the risks of leaving CVE-2025-23203 unpatched?

    Leaving CVE-2025-23203 unpatched may expose sensitive configuration data and allow unauthorized changes by authenticated users.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203