Werk #15195: Protect automation user secret against timing attacks
Komponente | Setup |
Titel | Protect automation user secret against timing attacks |
Datum | 17.11.2023 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk-Version | 2.1.0p37 2.2.0p15 2.3.0b1 |
Level | Kleine Änderung |
Klasse | Sicherheitsfix |
Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen |
This Werks improves how the secret of an automation user is validated during login. Prior to the Werk, the automation user's password was not checked in a way that is safe against (theoretical) timing attacks. This is fixed now.
Even though this Werk improves security, it does not address an exploitable vulnerability. To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).