CVE-2025-23203: 
Icinga vulnerability analysis and mitigation

Icinga Director, a config deployment tool for Icinga, contains a security vulnerability (CVE-2025-23203) affecting versions 1.0.0 through versions prior to 1.10.3 and 1.11.3. The vulnerability was discovered and disclosed in January 2025, impacting several director endpoints of the REST API. This security issue allows authenticated users with Director access permissions to bypass access restrictions and retrieve information about objects they should not have access to (GitHub Advisory).

The vulnerability affects multiple REST API endpoints including icingaweb2/director/service, icingaweb2/directore/notification, icingaweb2/director/serviceset, and icingaweb2/director/scheduled-downtime. A notable aspect is that the endpoint icingaweb2/director/services?host=filteredHostName returns a status code 200 even for filtered hosts, inadvertently revealing their existence. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N, indicating network vector attack with low complexity but requiring high privileges (GitHub Advisory).

The vulnerability enables authenticated users to bypass access restrictions, potentially leading to unauthorized access to sensitive information and configuration changes to objects they should not have access to. This can result in data breaches, sensitive information disclosure, and further exploitation of the exposed information (GitHub Advisory).

The vulnerability has been patched in Icinga Director versions 1.10.3 and 1.11.3. Organizations are recommended to upgrade immediately to these patched versions. If immediate upgrading is not feasible, a temporary workaround is to disable the director module for all users except those with admin roles (GitHub Advisory).