CVE-2025-44823 PUBLISHED

Assigner: mitre
Reserved: 22.04.2025 Published: 07.10.2025 Updated: 07.10.2025

Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Nagios
Product	Log Server
Versions	Default: unaffected affected from 0 to 2024R1.3.2 (excl.)

References

https://www.nagios.com/changelog/#log-server
https://www.exploit-db.com/exploits/52177

Problem Types

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere CWE