Hi, On Tue, Apr 01, 2025 at 08:47:30PM +0200, Salvatore Bonaccorso wrote: > Source: icingaweb2-module-director > Version: 1.11.1-1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for icingaweb2-module-director. > > CVE-2025-23203[0]: > | Icinga Director is an Icinga config deployment tool. A Security > | vulnerability has been found starting in version 1.0.0 and prior to > | 1.10.3 and 1.11.3 on several director endpoints of REST API. To > | reproduce this vulnerability an authenticated user with permission > | to access the Director is required (plus api access with regard to > | the api endpoints). And even though some of these Icinga Director > | users are restricted from accessing certain objects, are able to > | retrieve information related to them if their name is known. This > | makes it possible to change the configuration of these objects by > | those Icinga Director users restricted from accessing them. This > | results in further exploitation, data breaches and sensitive > | information disclosure. Affected endpoints include > | icingaweb2/director/service, if the host name is left out of the > | query; icingaweb2/directore/notification; > | icingaweb2/director/serviceset; and icingaweb2/director/scheduled- > | downtime. In addition, the endpoint > | `icingaweb2/director/services?host=filteredHostName` returns a > | status code 200 even though the services for the host is filtered. > | This in turn lets the restricted user know that the host > | `filteredHostName` exists even though the user is restricted from > | accessing it. This could again result in further exploitation of > | this information and data breaches. Icinga Director has patches in > | versions 1.10.3 and 1.11.1. If upgrading is not feasible, disable > | the director module for the users other than admin role for the time > | being. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > Note the information available is a bit confusing, so needs some > clarification if you can identify the change from 1.11.1. While the > description claims that it is fixed in 1.11.1, this is in disagreement > with the advisory itself[1], saying it is in 1.11.3 and furthermore > the actual commit restricting the endpoints is in 1.11.4[2].
Okay actually https://github.com/Icinga/icingaweb2-module-director/releases/tag/v1.11.4 agrees with this, the fix is only in v1.11.4. Do not know why upstream has diagreement notes on their own GHSA. Regards, Salvatore
