CVE-2025-48057

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-48057

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-48057.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-48057

Aliases

GHSA-7vcf-f5v9-3wr6

Downstream

UBUNTU-CVE-2025-48057

Published

2025-05-27T17:15:26Z

Modified

2025-07-01T16:33:44.698315Z

Summary

[none]

Details

Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.14.6, the VerifyCertificate() function can be tricked into incorrectly treating certificates as valid. This allows an attacker to send a malicious certificate request that is then treated as a renewal of an already existing certificate, resulting in the attacker obtaining a valid certificate that can be used to impersonate trusted nodes. This only occurs when Icinga 2 is built with OpenSSL older than version 1.1.0. This issue has been patched in versions 2.12.12, 2.13.12, and 2.14.6.

References

Affected packages

Debian:11 / icinga2

Package

Name: icinga2
Purl: pkg:deb/debian/icinga2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.12.3-1

2.12.3-1+deb11u1

2.12.4-1~exp1

2.12.5-1~exp1

2.12.5-1

2.13.0-1~exp1

2.13.1-1

2.13.2-1

2.13.3-1

2.13.4-1

2.13.5-1

2.13.5-2

2.13.6-1

2.13.6-2

2.13.7-1~exp1

2.13.7-1

2.13.8-1

2.14.0-1~exp1

2.14.1-1

2.14.2-1

2.14.2-1+loong64

2.14.3-1

2.14.4-1

2.14.5-1

2.14.6-1

2.15.0-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / icinga2

Package

Name: icinga2
Purl: pkg:deb/debian/icinga2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.13.6-2

2.13.6-2+deb12u1

2.13.6-2+deb12u2

2.13.7-1~exp1

2.13.7-1

2.13.8-1

2.14.0-1~exp1

2.14.1-1

2.14.2-1

2.14.2-1+loong64

2.14.3-1

2.14.4-1

2.14.5-1

2.14.6-1

2.15.0-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / icinga2

Package

Name: icinga2
Purl: pkg:deb/debian/icinga2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.14.6-1

Affected versions

2.*

2.13.6-2

2.13.7-1~exp1

2.13.7-1

2.13.8-1

2.14.0-1~exp1

2.14.1-1

2.14.2-1

2.14.2-1+loong64

2.14.3-1

2.14.4-1

2.14.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/icinga/icinga2

Affected ranges

Type: GIT
Repo: https://github.com/icinga/icinga2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

34c93a2542bbe4e9886d15bc17ec929ead1aa152

Fixed

4023128be42b18a011dda71ddee9ca79955b89cb

Fixed

60f75f4a3d5cbb234eb3694ba7e9076a1a5b8776

Fixed

9ad5683aab9eb392c6737ff46c830a945c9e240f

Fixed

9b2c05d0cc09210bdeade77cf9a73859250fc48d

Affected versions

v0.*

v0.0.1

v0.0.10

v0.0.11

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

v2.*

v2.0.0

v2.0.0-beta1

v2.0.0-beta2

v2.0.1

v2.0.2

v2.1.0

v2.1.1

v2.10.0

v2.10.1

v2.10.2

v2.10.3

v2.10.4

v2.10.5

v2.11.0

v2.11.0-rc1

v2.12.0

v2.12.0-rc1

v2.12.1

v2.12.10

v2.12.11

v2.12.2

v2.12.3

v2.12.4

v2.12.5

v2.12.6

v2.12.7

v2.12.8

v2.12.9

v2.13.0

v2.13.1

v2.13.10

v2.13.11

v2.13.2

v2.13.3

v2.13.4

v2.13.5

v2.13.6

v2.13.7

v2.13.8

v2.13.9

v2.14.0

v2.14.1

v2.14.2

v2.14.3

v2.14.4

v2.14.5

v2.2.0

v2.3.0

v2.3.1

v2.3.10

v2.3.11

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.4.0

v2.4.1

v2.4.10

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.7.0

v2.7.1

v2.7.2

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.9.0

v2.9.1

v2.9.2