CVE-2025-23203

Name of the Vulnerable Software and Affected Versions Icinga Director versions 1.0.0 through 1.10.2 Icinga Director versions 1.0.0 through 1.11.2

Description A security issue has been found in Icinga Director, affecting several REST API endpoints. This issue allows authenticated users with permission to access the Director to retrieve information related to certain objects, even if they are restricted from accessing them. The affected endpoints include "icingaweb2/director/service", "icingaweb2/director/notification", "icingaweb2/director/serviceset", and "icingaweb2/director/scheduled-downtime". Additionally, the endpoint icingaweb2/director/services?host=filteredHostName returns a status code 200, indicating the existence of a host, even if the user is restricted from accessing it. This could result in further exploitation and data breaches.

Recommendations For Icinga Director versions 1.0.0 through 1.10.2, update to version 1.10.3 or later. For Icinga Director versions 1.0.0 through 1.11.2, update to version 1.11.1 or later. As a temporary workaround, consider disabling the director module for users other than the admin role until a patch is applied.