Werk #13982: Reading host_config's will now honour contact groups
Komponente | REST API | ||||||
Titel | Reading host_config's will now honour contact groups | ||||||
Datum | 21.04.2023 | ||||||
Level | Kleine Änderung | ||||||
Klasse | Sicherheitsfix | ||||||
Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen | ||||||
Checkmk versions & editions |
|
Prior to this Werk it was possible for a user to read a hosts configuration
(using GET on /objects/host_config/<host_name>
) even if that user was not
in the contact group of that host.
The REST-API will correctly check a users permissions before serving a response in that case and report a 403 error if the user cannot access the host's config.
Affected Versions: * 2.2.0 (beta) * 2.1.0
Vulnerability Management: We calculated a CVSS 3.1 score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N We assigned CVE-2023-22348 to this vulnerability.
We found this vulnerability internally and have no indication of any exploitation.