Vulnerability Description
Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to administrators or anyone with access to import results.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nagios | Log Server | < 2024 |
Related Weaknesses (CWE)
References
- https://support.nagios.com/kb/article/authenticating-and-importing-users-with-adNot Applicable
- https://www.nagios.com/changelog/#log-serverRelease Notes
- https://www.nagios.com/products/security/#log-server-2024R2Vendor Advisory
- https://www.vulncheck.com/advisories/nagios-log-server-ad-ldap-import-password-nThird Party Advisory
FAQ
What is CVE-2025-34270?
CVE-2025-34270 is a vulnerability with a CVSS score of 4.9 (MEDIUM). Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext pa...
How severe is CVE-2025-34270?
CVE-2025-34270 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-34270?
Check the references section above for vendor advisories and patch information. Affected products include: Nagios Log Server.