CVE-2025-23203 – Icinga has rest API endpoints accessible to restricted users

https://notcve.org/view.php?id=CVE-2025-23203

26 Mar 2025 — Icinga Director is an Icinga config deployment tool. A Security vulnerability has been found starting in version 1.0.0 and prior to 1.10.3 and 1.11.3 on several director endpoints of REST API. To reproduce this vulnerability an authenticated user with permission to access the Director is required (plus api access with regard to the api endpoints). And even though some of these Icinga Director users are restricted from accessing certain objects, are able to retrieve information related to them if their name ... • https://github.com/Icinga/icingaweb2-module-director/releases/tag/v1.10.3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •