| Name | CVE-2025-61908 |
| Description | Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, when creating an invalid reference, such as a reference to null, dereferencing results in a segmentation fault. This can be used by any API user with access to an API endpoint that allows specifying a filter expression to crash the Icinga 2 daemon. A fix is included in the following Icinga 2 versions: 2.15.1, 2.14.7, and 2.13.13. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| icinga2 (PTS) | bullseye | 2.12.3-1 | vulnerable |
| bullseye (security) | 2.12.3-1+deb11u1 | vulnerable | |
| bookworm | 2.13.6-2+deb12u2 | vulnerable | |
| trixie | 2.14.6-1 | vulnerable | |
| forky, sid | 2.15.1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| icinga2 | source | (unstable) | 2.15.1-1 |
[bullseye] - icinga2 <postponed> (Minor issue, only exploitable by already authenticated users)
https://github.com/Icinga/icinga2/security/advisories/GHSA-v9jg-xqhj-f43g
https://github.com/Icinga/icinga2/commit/0dadce2b972f1d8d9f9b11f3a4eb9604b79cacb2 (v2.15.1)
https://github.com/Icinga/icinga2/commit/0d737e263a2244be07da85e5c5d6d914888255d4 (v2.14.7)
https://github.com/Icinga/icinga2/commit/b7549d09f64b05edb57d568a94e0df45d3b7cfd3 (v2.13.13)
https://icinga.com/blog/releasing-icinga-2-v2-15-1-2-14-7-and-2-13-13-and-icinga-db-web-v1-2-3-and-1-1-4/