DEBIAN-CVE-2025-61907

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-61907

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-61907.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-61907

Upstream

CVE-2025-61907

Published

2025-10-16T18:15:37.820Z

Modified

2026-04-28T20:30:45.196749Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables not permitted by the variables permission and objects not permitted by the corresponding objects/query permissions. The vulnerability is fixed in versions 2.15.1, 2.14.7, and 2.13.13.

References

https://security-tracker.debian.org/tracker/CVE-2025-61907

Affected packages

Debian:11 / icinga2

Package

Name: icinga2
Purl: pkg:deb/debian/icinga2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.12.3-1

2.12.3-1+deb11u1

2.12.4-1~exp1

2.12.5-1~exp1

2.12.5-1

2.13.0-1~exp1

2.13.1-1

2.13.2-1

2.13.3-1

2.13.4-1

2.13.5-1

2.13.5-2

2.13.6-1

2.13.6-2

2.13.7-1~exp1

2.13.7-1

2.13.8-1

2.14.0-1~exp1

2.14.1-1

2.14.2-1

2.14.2-1+loong64

2.14.3-1

2.14.4-1

2.14.5-1

2.14.6-1

2.15.0-1~exp1

2.15.0-1

2.15.1-1

2.15.2-1

2.15.2-2

2.16.0-1

2.16.0-2

2.16.0-3~exp1

2.16.0-3~exp2

2.16.0-3~exp3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-61907.json"

Debian:12 / icinga2

Package

Name: icinga2
Purl: pkg:deb/debian/icinga2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.13.6-2

2.13.6-2+deb12u1

2.13.6-2+deb12u2

2.13.7-1~exp1

2.13.7-1

2.13.8-1

2.14.0-1~exp1

2.14.1-1

2.14.2-1

2.14.2-1+loong64

2.14.3-1

2.14.4-1

2.14.5-1

2.14.6-1

2.15.0-1~exp1

2.15.0-1

2.15.1-1

2.15.2-1

2.15.2-2

2.16.0-1

2.16.0-2

2.16.0-3~exp1

2.16.0-3~exp2

2.16.0-3~exp3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-61907.json"

Debian:13 / icinga2

Package

Name: icinga2
Purl: pkg:deb/debian/icinga2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.14.6-1

2.15.0-1~exp1

2.15.0-1

2.15.1-1

2.15.2-1

2.15.2-2

2.16.0-1

2.16.0-2

2.16.0-3~exp1

2.16.0-3~exp2

2.16.0-3~exp3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-61907.json"

Debian:14 / icinga2

Package

Name: icinga2
Purl: pkg:deb/debian/icinga2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.15.1-1

Affected versions

2.*

2.14.6-1

2.15.0-1~exp1

2.15.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-61907.json"