CVE-2025-34272

In Nagios Log Server versions prior to 2024R2.0.3, when a user's configured default dashboard is deleted, the application does not reliably fall back to an empty, default dashboard. In some implementations this can result in an unexpected dashboard being presented as the user's default view. Depending on the product's dashboard sharing and access policies, this behavior may cause information exposure or unexpected privilege exposure.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.nagios.com/changelog/#log-server	Release Notes
https://www.nagios.com/products/security/#log-server-2024R2	Vendor Advisory
https://www.vulncheck.com/advisories/nagios-log-server-non-empty-default-dashboard-fallback	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nagios:log_server::::::::
	cpe:2.3:a:nagios:log_server:2024:r1::::::
	cpe:2.3:a:nagios:log_server:2024:r1.0.1::::::
	cpe:2.3:a:nagios:log_server:2024:r1.0.2::::::
	cpe:2.3:a:nagios:log_server:2024:r1.1::::::
	cpe:2.3:a:nagios:log_server:2024:r1.2::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3.1::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3.2::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3.3::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3.4::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3.5::::::
	cpe:2.3:a:nagios:log_server:2024:r2::::::
	cpe:2.3:a:nagios:log_server:2024:r2.0.1::::::
	cpe:2.3:a:nagios:log_server:2024:r2.0.2::::::

History

06 Nov 2025, 16:29

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-30 22:15

Updated : 2025-11-06 16:29

NVD link : CVE-2025-34272

Mitre link : CVE-2025-34272

CVE.ORG link : CVE-2025-34272

JSON object : View

Products Affected

nagios

log_server

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2025-34272", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-10-30T22:15:47.810", "references": [{"url": "https://www.nagios.com/changelog/#log-server", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://www.nagios.com/products/security/#log-server-2024R2", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/nagios-log-server-non-empty-default-dashboard-fallback", "tags": ["Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "In Nagios Log Server versions prior to 2024R2.0.3, when a user's configured default dashboard is deleted, the application does not reliably fall back to an empty, default dashboard. In some implementations this can result in an unexpected dashboard being presented as the user's default view. Depending on the product's dashboard sharing and access policies, this behavior may cause information exposure or unexpected privilege exposure."}], "lastModified": "2025-11-06T16:29:24.517", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nagios:log_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "87E74637-713C-4DD7-B97E-2F247B7B12B1", "versionEndExcluding": "2024"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B93D415C-B2C0-42CE-B9B3-29C29A3DCC16"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "997B64B5-A3F2-4D0E-B05E-CCA76D598C18"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D20F6746-83DD-49AE-8C3D-AF2FFB47A89E"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5EF32AF5-19EA-495A-AB28-F78F33DDEC3F"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C26DE7A-37AA-4570-81C1-2E0C1A9026F7"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52C22468-A773-49C8-81AD-9B76C26BFFD1"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7CEC223A-A3EE-4C51-8B71-E19C73B9215C"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB7A3A2A-DF36-4495-A5FE-826085120997"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0AC10FEF-5606-4949-9E5E-E44FE1CE418D"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC2BBD0F-12FE-4A8F-894E-ABAEEE081E10"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16861134-A375-4918-8171-77C14A3351EB"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6AAEC3D7-AD80-4647-9130-F42CE4785906"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r2.0.1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB3DFA03-0D49-4E43-9041-D7C30615B3D5"}, {"criteria": "cpe:2.3:a:nagios:log_server:2024:r2.0.2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2333DBDE-6F1F-4286-B58C-74ABE18B9469"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}