Werk #17013: Livestatus injection in mknotifyd
| Komponente | Notifications | ||||||||
| Titel | Livestatus injection in mknotifyd | ||||||||
| Datum | 08.07.2024 | ||||||||
| Level | Kleine Änderung | ||||||||
| Klasse | Sicherheitsfix | ||||||||
| Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen | ||||||||
| Checkmk versions & editions |
|
Before this Werk a malicious notification sent via mknotifyd could allow an attacker to send arbitrary livestatus commands.
With this Werk livestatus escaping was added to the relevant functions.
This issue was found during internal review.
Affected Versions:
- 2.3.0
- 2.2.0
- 2.1.0
- 2.0.0 (EOL)
Vulnerability Management:
We have rated the issue with a CVSS Score of 6.5 Medium (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) and assigned CVE-2024-6542.