| Name | CVE-2025-61789 |
| Description | Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| icingadb-web (PTS) | bookworm | 1.0.2-1 | vulnerable |
| trixie | 1.1.3-1 | vulnerable | |
| forky | 1.2.2-1 | vulnerable | |
| sid | 1.2.3-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| icingadb-web | source | (unstable) | 1.2.3-1 |
https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429
Fixed by: https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18 (v1.2.3)
Fixed by: https://github.com/Icinga/icingadb-web/commit/79fc07e7ee4c3d43981487753e82d1f22e956dce (v1.1.4)
Fixed by: https://github.com/Icinga/icingadb-web/commit/3b13f094422bc2faded38e4195559a22a172d0ed (v1.1.4)
Fixed by: https://github.com/Icinga/icingadb-web/commit/fa4191363b83c8d3e7d854f623ad74b28ae08d7c (v1.1.4)
Fixed by: https://github.com/Icinga/icingadb-web/commit/489c8c457c8585e66d2cb502e30dbd8cb5c19e57 (v1.1.4)
https://icinga.com/blog/releasing-icinga-2-v2-15-1-2-14-7-and-2-13-13-and-icinga-db-web-v1-2-3-and-1-1-4/