CVE-2025-48057

EPSS 0.04%
Veröffentlicht 27.05.2025 16:32:29
Zuletzt bearbeitet 05.12.2025 00:12:22
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.14.6, the VerifyCertificate() function can be tricked into incorrectly treating certificates as valid. This allows an attacker to send a malicious certificate request that is then treated as a renewal of an already existing certificate, resulting in the attacker obtaining a valid certificate that can be used to impersonate trusted nodes. This only occurs when Icinga 2 is built with OpenSSL older than version 1.1.0. This issue has been patched in versions 2.12.12, 2.13.12, and 2.14.6.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Icinga ≫ Icinga Version < 2.12.12

Icinga ≫ Icinga Version >= 2.13.0 < 2.13.12

Icinga ≫ Icinga Version >= 2.14.0 < 2.14.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.124

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-296 Improper Following of a Certificate's Chain of Trust

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

https://github.com/Icinga/icinga2/security/advisories/GHSA-7vcf-f5v9-3wr6

Patch

Vendor Advisory

https://github.com/Icinga/icinga2/commit/34c93a2542bbe4e9886d15bc17ec929ead1aa152

Patch

https://github.com/Icinga/icinga2/commit/4023128be42b18a011dda71ddee9ca79955b89cb

Patch

https://github.com/Icinga/icinga2/commit/60f75f4a3d5cbb234eb3694ba7e9076a1a5b8776

Patch

https://github.com/Icinga/icinga2/commit/9ad5683aab9eb392c6737ff46c830a945c9e240f

Patch

https://github.com/Icinga/icinga2/commit/9b2c05d0cc09210bdeade77cf9a73859250fc48d

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-48057

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-48057

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-48057

EUVD