Werk #15890: user: read permissions are now checked in the request schema before delete/edit/create user

Component

REST API

Title

user: read permissions are now checked in the request schema before delete/edit/create user

Date

Jun 15, 2023

Level

Trivial Change

Class

Security Fix

Compatibility

Incompatible - Manual interaction might be required

Checkmk versions & editions

2.3.0b1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p5	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Prior to this Werk an authenticated user was able to enumerate username with the RestAPI.

We found this vulnerability internally.

Affected Versions: * 2.2.0

Indicators of Compromise: You can check var/log/apache/access_log for a unusual amount of requests to the user_config RestAPI endpoints.

Vulnerability Management: We have rated the issue with a CVSS Score of 4.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.

We assigned CVE-2023-22359 to this vulnerability.

Changes: When calling either of the following endpoints, a 401 will be returned if the client user doesn't have permission to read users. POST /domain-types/user_config/collections/all PUT /objects/user_config/{username} DELETE /objects/user_config/{username}

To the list of all Werks