CRITICAL🇵🇱 Wersja polska

CVE-2025-44823

CVSS 9.9v3.1pub. 2025-10-07upd. 2025-11-06

Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.

🤖 AI Analysis
How it works

An authenticated user (regardless of permission level) can execute an HTTP GET request to the endpoint /nagioslogserver/index.php/api/system/get_users. In response, the server returns user data containing administrator API keys in plaintext. The vulnerability is classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Sphere), which means the system exposes protected information to entities that should not have access to it.

Impact

An attacker with any account in the system can obtain administrator API keys and take full administrative control over Nagios Log Server, which includes high confidentiality, integrity, and availability of the system and related resources.

Mitigation & patch

Nagios Log Server should be updated to version 2024R1.3.2 or newer. Details regarding the patch are available in the vendor's changelog at https://www.nagios.com/changelog/#log-server

Who is affected

Nagios Log Server in all versions before 2024R1.3.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Nagios Log Server

    APP
    Nagios
    2024< 2024
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-34277CRITICAL9.4PL ✓ten sam produkt

RCE w Nagios Log Server — code injection przez malformed dashboard ID

CVE-2025-34274CRITICAL9.3PL ✓ten sam produkt

Nagios Log Server: uruchamianie Logstash z uprawnieniami root (privilege escalation)

CVE-2025-34323HIGH8.5ten sam produkt

Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to a combinati...

CVE-2025-34322HIGH8.6ten sam produkt

Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the...

CVE-2023-7322HIGH8.7ten sam produkt

Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked ...