Werk #17010: XSS in SQL check parameters

Komponente

Setup

Titel

XSS in SQL check parameters

Datum

17.06.2024

Level

Kleine Änderung

Klasse

Sicherheitsfix

Kompatibilität

Kompatibel - benötigt kein manuelles Eingreifen

Checkmk versions & editions

2.4.0b1	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p8	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p29	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p45	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk an attacher could add HTML to one parameter of the Check SQL database rule which was executed on the overview page.

We found this vulnerability internally.

Affected Versions: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (probably older versions as well)

Indicators of Compromis: The creation of such rules is logged in the audit log. You can therefore check the wato_audit.log either on the terminal or in the UI for entries that contain malicious HTML.

Vulnerability Management: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L We assigned CVE-2024-6052 to this vulnerability.

Changes: This Werk fixes the escaping.

Zur Liste aller Werks