Werk #15200: Restrict check_sftp local paths
| Komponente | Checks & agents | ||||||||
| Titel | Restrict check_sftp local paths | ||||||||
| Datum | 16.05.2024 | ||||||||
| Level | Kleine Änderung | ||||||||
| Klasse | Sicherheitsfix | ||||||||
| Kompatibilität | Inkompatibel - Manuelle Interaktion könnte erforderlich sein | ||||||||
| Checkmk versions & editions |
|
Prior to this Werk, check_sftp did not restrict the local paths that for files to be uploaded and downloaded.
This allowed users with the permissions to configure check_sftp to read or write files within the Checkmk site home.
The local paths are now restricted to the folder var/check_mk/active_checks/check_sftp within the Checkmk site home.
As a consequence, the local paths in existing configurations will now be interpreted as relative to that folder.
Since a test file is created if the local file to upload doesn't exist, the check will continue to work, but it will not pick up files from the old location.
Similarly, the downloaded files will be stored in a new location.
This issue was found during internal review.
If you want a hot-fix in existing versions and are not using check_sftp, you can remove the executable (/omd/sites/[SITE_ID]/lib/nagios/plugins/check_sftp) from your installation.
Affected Versions:
- 2.3.0
- 2.2.0
- 2.1.0
- 2.0.0 (EOL)
Vulnerability Management:
We have rated the issue with a CVSS Score of 8.8 High with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and assigned CVE CVE-2024-28826.