Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.
An authenticated user (regardless of permission level) can execute an HTTP GET request to the endpoint /nagioslogserver/index.php/api/system/get_users. In response, the server returns user data containing administrator API keys in plaintext. The vulnerability is classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Sphere), which means the system exposes protected information to entities that should not have access to it.
An attacker with any account in the system can obtain administrator API keys and take full administrative control over Nagios Log Server, which includes high confidentiality, integrity, and availability of the system and related resources.
Nagios Log Server should be updated to version 2024R1.3.2 or newer. Details regarding the patch are available in the vendor's changelog at https://www.nagios.com/changelog/#log-server
Nagios Log Server in all versions before 2024R1.3.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HNagios Log Server
APPNagios2024< 2024
Related vulnerabilities
RCE w Nagios Log Server — code injection przez malformed dashboard ID
Nagios Log Server: uruchamianie Logstash z uprawnieniami root (privilege escalation)
Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to a combinati...
Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the...
Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked ...