Werk #16221: Livestatus Injections
| Komponente | Setup | ||||||
| Titel | Livestatus Injections | ||||||
| Datum | 15.11.2023 | ||||||
| Level | Kleine Änderung | ||||||
| Klasse | Sicherheitsfix | ||||||
| Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen | ||||||
| Checkmk versions & editions |
|
Prior to this Werk it was possible to inject arbitrary livestatus commands to the core via the WebUI.
We found this vulnerability internally.
Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0
Vulnerability Management: We have rated the issue with a CVSS Score of 7.6 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H. We assigned CVE-2023-6156 and CVE-2023-6157 to these vulnerabilities.
Changes: This Werk strips the relevant parameters of newlines.