Werk #16221: Livestatus Injections
Komponente | Setup |
Titel | Livestatus Injections |
Datum | 15.11.2023 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk-Version | 2.1.0p37 2.2.0p15 2.3.0b1 |
Level | Kleine Änderung |
Klasse | Sicherheitsfix |
Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen |
Prior to this Werk it was possible to inject arbitrary livestatus commands to the core via the WebUI.
We found this vulnerability internally.
Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0
Vulnerability Management: We have rated the issue with a CVSS Score of 7.6 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H. We assigned CVE-2023-6156 and CVE-2023-6157 to these vulnerabilities.
Changes: This Werk strips the relevant parameters of newlines.