Werk #16227: Disabled automation users could still authenticate
| Komponente | Setup |
| Titel | Disabled automation users could still authenticate |
| Datum | 11.12.2023 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk-Version | 2.1.0p38 2.2.0p18 2.3.0b1 |
| Level | Kleine Änderung |
| Klasse | Sicherheitsfix |
| Kompatibilität | Inkompatibel - Manuelle Interaktion könnte erforderlich sein |
Prior to this Werk an automation user whose password was disabled also described as "disable the login to this account" was still able to authenticate. The information that a user was disabled was not checked for automation users.
We found this vulnerability internally.
Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 * 1.6.0 * 1.5.0 (probably older versions as well)
Mitigations: If the need arises to block an automation user one can change the password or remove that user from the system.
Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We assigned CVE-2023-31211 to this vulnerability.
Changes: This Werk adds a check for the disabled information. During update you will be warned if a automation user is currently disabled.
