CVE-2025-28059

{"id": "CVE-2025-28059", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-04-18T17:15:34.700", "references": [{"url": "https://github.com/aakashtyal/Residual-Data-Access-Post-User-Deletion-in-Nagios-Network-Analyzer-Version-2024R1", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.nagios.com/changelog/#network-analyze", "tags": ["Release Notes"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso en Nagios Network Analyzer 2024R1.0.3 permite que usuarios eliminados conserven el acceso a los recursos del sistema debido a la invalidaci\u00f3n incorrecta de sesiones y al manejo de tokens obsoletos. Cuando un administrador elimina una cuenta de usuario, el backend no finaliza las sesiones activas ni revoca los tokens de API asociados, lo que permite el acceso no autorizado a funciones restringidas."}], "lastModified": "2025-07-11T13:33:38.457", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nagios:network_analyzer:2024:r1.0.3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9896555A-4661-43E4-970C-625C091639D2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}