UBUNTU-CVE-2025-23203

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2025-23203
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-23203.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-23203
Related
Published
2025-03-26T14:15:00Z
Modified
2025-04-23T15:00:01Z
Summary
[none]
Details

Icinga Director is an Icinga config deployment tool. A Security vulnerability has been found starting in version 1.0.0 and prior to 1.10.3 and 1.11.3 on several director endpoints of REST API. To reproduce this vulnerability an authenticated user with permission to access the Director is required (plus api access with regard to the api endpoints). And even though some of these Icinga Director users are restricted from accessing certain objects, are able to retrieve information related to them if their name is known. This makes it possible to change the configuration of these objects by those Icinga Director users restricted from accessing them. This results in further exploitation, data breaches and sensitive information disclosure. Affected endpoints include icingaweb2/director/service, if the host name is left out of the query; icingaweb2/directore/notification; icingaweb2/director/serviceset; and icingaweb2/director/scheduled-downtime. In addition, the endpoint icingaweb2/director/services?host=filteredHostName returns a status code 200 even though the services for the host is filtered. This in turn lets the restricted user know that the host filteredHostName exists even though the user is restricted from accessing it. This could again result in further exploitation of this information and data breaches. Icinga Director has patches in versions 1.10.3 and 1.11.1. If upgrading is not feasible, disable the director module for the users other than admin role for the time being.

References

Affected packages

Ubuntu:20.04:LTS / icingaweb2-module-director

Package

Name
icingaweb2-module-director
Purl
pkg:deb/ubuntu/icingaweb2-module-director@1.6.0-1?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.0-1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / icingaweb2-module-director

Package

Name
icingaweb2-module-director
Purl
pkg:deb/ubuntu/icingaweb2-module-director@1.8.1-2?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.8.1-1
1.8.1-2

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / icingaweb2-module-director

Package

Name
icingaweb2-module-director
Purl
pkg:deb/ubuntu/icingaweb2-module-director@1.11.1-1?arch=source&distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.10.2-2
1.11.1-1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / icingaweb2-module-director

Package

Name
icingaweb2-module-director
Purl
pkg:deb/ubuntu/icingaweb2-module-director@1.10.2-2?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.10.2-1
1.10.2-2

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:25.04 / icingaweb2-module-director

Package

Name
icingaweb2-module-director
Purl
pkg:deb/ubuntu/icingaweb2-module-director@1.11.1-1?arch=source&distro=plucky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.11.1-1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}