Werk #13982: Reading host_config's will now honour contact groups

Komponente REST API
Titel Reading host_config's will now honour contact groups
Datum 21.04.2023
Level Kleine Änderung
Klasse Sicherheitsfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen
Checkmk versions & editions
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b8 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p28 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk it was possible for a user to read a hosts configuration (using GET on /objects/host_config/<host_name>) even if that user was not in the contact group of that host.

The REST-API will correctly check a users permissions before serving a response in that case and report a 403 error if the user cannot access the host's config.

Affected Versions: * 2.2.0 (beta) * 2.1.0

Vulnerability Management: We calculated a CVSS 3.1 score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N We assigned CVE-2023-22348 to this vulnerability.

We found this vulnerability internally and have no indication of any exploitation.

Zur Liste aller Werks