Vulnerability Description
Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Icinga | Icinga Db Web | >= 1.2.0, < 1.2.2 |
Related Weaknesses (CWE)
References
- https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2Release Notes
- https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473PatchVendor Advisory
FAQ
What is CVE-2025-53840?
CVE-2025-53840 is a vulnerability with a CVSS score of 2.4 (LOW). Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and ser...
How severe is CVE-2025-53840?
CVE-2025-53840 has been rated LOW with a CVSS base score of 2.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-53840?
Check the references section above for vendor advisories and patch information. Affected products include: Icinga Icinga Db Web.